From: Guy Harris Date: Sat, 4 Jul 2015 01:07:35 +0000 (-0700) Subject: CVE-2016-7931/Add bounds and length checks. X-Git-Tag: tcpdump-4.9.0-bp~86 X-Git-Url: https://git.tcpdump.org/tcpdump/commitdiff_plain/69ead2a09cf7d0666c6a7ac12e47fd9743242c61 CVE-2016-7931/Add bounds and length checks. Fixes a heap overflow found with American Fuzzy Lop by Hanno Böck. --- diff --git a/print-mpls.c b/print-mpls.c index 6d0539e6..f6ee434e 100644 --- a/print-mpls.c +++ b/print-mpls.c @@ -68,6 +68,10 @@ mpls_print(netdissect_options *ndo, const u_char *bp, u_int length) ND_PRINT((ndo, "MPLS")); do { ND_TCHECK2(*p, sizeof(label_entry)); + if (length < sizeof(label_entry)) { + ND_PRINT((ndo, "[|MPLS], length %u", length)); + return; + } label_entry = EXTRACT_32BITS(p); ND_PRINT((ndo, "%s(label %u", (label_stack_depth && ndo->ndo_vflag) ? "\n\t" : " ", @@ -82,6 +86,7 @@ mpls_print(netdissect_options *ndo, const u_char *bp, u_int length) ND_PRINT((ndo, ", ttl %u)", MPLS_TTL(label_entry))); p += sizeof(label_entry); + length -= sizeof(label_entry); } while (!MPLS_STACK(label_entry)); /* @@ -124,6 +129,11 @@ mpls_print(netdissect_options *ndo, const u_char *bp, u_int length) * Cisco sends control-plane traffic MPLS-encapsulated in * this fashion. */ + ND_TCHECK(*p); + if (length < 1) { + /* nothing to print */ + return; + } switch(*p) { case 0x45: diff --git a/tests/TESTLIST b/tests/TESTLIST index e601f59a..d9751c90 100644 --- a/tests/TESTLIST +++ b/tests/TESTLIST @@ -391,3 +391,4 @@ llc-xid-heapoverflow llc-xid-heapoverflow.pcap llc-xid-heapoverflow.out -t -v -n udp-length-heapoverflow udp-length-heapoverflow.pcap udp-length-heapoverflow.out -t -v -n aarp-heapoverflow-1 aarp-heapoverflow-1.pcap aarp-heapoverflow-1.out -t -v -n aarp-heapoverflow-2 aarp-heapoverflow-2.pcap aarp-heapoverflow-2.out -t -v -n +mpls-label-heapoverflow mpls-label-heapoverflow.pcap mpls-label-heapoverflow.out -t -v -n diff --git a/tests/mpls-label-heapoverflow.out b/tests/mpls-label-heapoverflow.out new file mode 100644 index 00000000..1419cacf --- /dev/null +++ b/tests/mpls-label-heapoverflow.out @@ -0,0 +1,2 @@ +MPLS (label 197379, exp 0, ttl 48) + (label 197387, exp 5, [S], ttl 48)[|MPLS] diff --git a/tests/mpls-label-heapoverflow.pcap b/tests/mpls-label-heapoverflow.pcap new file mode 100644 index 00000000..bafba4ff Binary files /dev/null and b/tests/mpls-label-heapoverflow.pcap differ