From: Guy Harris Date: Wed, 22 Mar 2017 02:40:51 +0000 (-0700) Subject: CVE-2017-13017/DHCPv6: Add a missing option length check. X-Git-Tag: tcpdump-4.9.2~60 X-Git-Url: https://git.tcpdump.org/tcpdump/commitdiff_plain/63c065b6e1198fdbe33786849069a7dcd0cd6ab9?hp=2bba46eaae87cc1711e2a3f291bcc7f53e44a7c1 CVE-2017-13017/DHCPv6: Add a missing option length check. This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s), modified so the capture file won't be rejected as an invalid capture. --- diff --git a/print-dhcp6.c b/print-dhcp6.c index 762d9187..cbb6d84a 100644 --- a/print-dhcp6.c +++ b/print-dhcp6.c @@ -518,6 +518,10 @@ dhcp6opt_print(netdissect_options *ndo, ND_PRINT((ndo, "...)")); break; case DH6OPT_RECONF_MSG: + if (optlen != 1) { + ND_PRINT((ndo, " ?)")); + break; + } tp = (const u_char *)(dh6o + 1); switch (*tp) { case DH6_RENEW: diff --git a/tests/TESTLIST b/tests/TESTLIST index 6b2ef957..ea600355 100644 --- a/tests/TESTLIST +++ b/tests/TESTLIST @@ -515,6 +515,7 @@ esis_snpa_asan-2 esis_snpa_asan-2.pcap esis_snpa_asan-2.out -v esis_snpa_asan-3 esis_snpa_asan-3.pcap esis_snpa_asan-3.out -v esis_snpa_asan-4 esis_snpa_asan-4.pcap esis_snpa_asan-4.out -v esis_snpa_asan-5 esis_snpa_asan-5.pcap esis_snpa_asan-5.out -v +dhcp6_reconf_asan dhcp6_reconf_asan.pcap dhcp6_reconf_asan.out -v # RTP tests # fuzzed pcap diff --git a/tests/dhcp6_reconf_asan.out b/tests/dhcp6_reconf_asan.out new file mode 100644 index 00000000..3f393734 --- /dev/null +++ b/tests/dhcp6_reconf_asan.out @@ -0,0 +1,2 @@ +IP (tos 0x60, ttl 254, id 21519, offset 0, flags [+, DF, rsvd], proto UDP (17), length 768, options (EOL), bad cksum 9615 (->c6f)!) + 251.73.86.150.514 > 126.172.217.192.546: dhcp6 relay-reply (linkaddr=300:10ed:ff:f01:f:0:7f:7f peeraddr=ffb6:3a64::c1:2300:581c:d00 (reconfigure-message ?) (reconfigure-message ?)) diff --git a/tests/dhcp6_reconf_asan.pcap b/tests/dhcp6_reconf_asan.pcap new file mode 100644 index 00000000..3eb6fe02 Binary files /dev/null and b/tests/dhcp6_reconf_asan.pcap differ