]> The Tcpdump Group git mirrors - tcpdump/commitdiff
projects / tcpdump / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 9ce9f78)
CVE-2017-13031/Check for the presence of the entire IPv6 fragment header.
authorGuy Harris <[email protected]>
Wed, 22 Mar 2017 21:55:12 +0000 (14:55 -0700)
committerDenis Ovsienko <[email protected]>
Sun, 3 Sep 2017 23:08:58 +0000 (00:08 +0100)
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.

Clean up some whitespace in tests/TESTLIST while we're at it.

print-frag6.c patch | blob | history
tests/TESTLIST patch | blob | history
tests/ip6_frag_asan.out [new file with mode: 0644] patch | blob
tests/ip6_frag_asan.pcap [new file with mode: 0644] patch | blob

diff --git a/print-frag6.c b/print-frag6.c
index 03836adbb2d49d025753f901876ee358dd9c23f5..fbcabc5b00cdc82a97ca76e7f15ca94823f40561 100644 (file)
--- a/print-frag6.c
+++ b/print-frag6.c
@@ -41,7 +41,7 @@ frag6_print(netdissect_options *ndo, register const u_char *bp, register const u
        dp = (const struct ip6_frag *)bp;
        ip6 = (const struct ip6_hdr *)bp2;
 
-       ND_TCHECK(dp->ip6f_offlg);
+       ND_TCHECK(*dp);
 
        if (ndo->ndo_vflag) {
                ND_PRINT((ndo, "frag (0x%08x:%d|%ld)",
diff --git a/tests/TESTLIST b/tests/TESTLIST
index d51c7c69fa3f827452210d29e3cf3413352a1bb1..7c99555748c3162bee67d00204a269118c67fbb5 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -533,9 +533,10 @@ isis_stlv_asan-4   isis_stlv_asan-4.pcap           isis_stlv_asan-4.out    -v
 lldp_mgmt_addr_tlv_asan        lldp_mgmt_addr_tlv_asan.pcap    lldp_mgmt_addr_tlv_asan.out     -v
 bootp_asan             bootp_asan.pcap                 bootp_asan.out          -v
 ppp_ccp_config_deflate_option_asan     ppp_ccp_config_deflate_option_asan.pcap ppp_ccp_config_deflate_option_asan.out  -v
-pim_header_asan                pim_header_asan.pcap            pim_header_asan.out             -v
-pim_header_asan-2      pim_header_asan-2.pcap          pim_header_asan-2.out           -v
-pim_header_asan-3      pim_header_asan-3.pcap          pim_header_asan-3.out           -v
+pim_header_asan                pim_header_asan.pcap            pim_header_asan.out     -v
+pim_header_asan-2      pim_header_asan-2.pcap          pim_header_asan-2.out   -v
+pim_header_asan-3      pim_header_asan-3.pcap          pim_header_asan-3.out   -v
+ip6_frag_asan          ip6_frag_asan.pcap              ip6_frag_asan.out       -v
 
 # RTP tests
 # fuzzed pcap
diff --git a/tests/ip6_frag_asan.out b/tests/ip6_frag_asan.out
new file mode 100644 (file)
index 0000000..2daba42
--- /dev/null
+++ b/tests/ip6_frag_asan.out
@@ -0,0 +1 @@
+IP6 (class 0x51, flowlabel 0xb2100, hlim 16, next-header Fragment (44) payload length: 27136) 452:22:19:0:41a:e4ff:10ff:484d > 2243:80:1400:100:19:ffff:ffff:fffb: [|frag]
diff --git a/tests/ip6_frag_asan.pcap b/tests/ip6_frag_asan.pcap
new file mode 100644 (file)
index 0000000..a99a22d
Binary files /dev/null and b/tests/ip6_frag_asan.pcap differ
[mirror] the TCPdump network dissector