From: Francois-Xavier Le Bail Date: Thu, 23 Mar 2017 23:55:18 +0000 (+0100) Subject: CVE-2017-13036/OSPFv3: Add a bounds check before fetching data X-Git-Tag: tcpdump-4.9.2~31 X-Git-Url: https://git.tcpdump.org/tcpdump/commitdiff_plain/71d9d09c7ce0b7e5474d13036e7bf8131998b98d?hp=18fb255653bfba3353eba6b4581bca94074decd4 CVE-2017-13036/OSPFv3: Add a bounds check before fetching data This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s), modified so the capture file won't be rejected as an invalid capture. --- diff --git a/print-ospf6.c b/print-ospf6.c index e8a9dc6d..381fdbbf 100644 --- a/print-ospf6.c +++ b/print-ospf6.c @@ -735,6 +735,7 @@ ospf6_decode_v3(netdissect_options *ndo, case OSPF_TYPE_HELLO: { register const struct hello6 *hellop = (const struct hello6 *)((const uint8_t *)op + OSPF6HDR_LEN); + ND_TCHECK_32BITS(&hellop->hello_options); ND_PRINT((ndo, "\n\tOptions [%s]", bittok2str(ospf6_option_values, "none", EXTRACT_32BITS(&hellop->hello_options)))); diff --git a/tests/TESTLIST b/tests/TESTLIST index 1b405cc3..65d33188 100644 --- a/tests/TESTLIST +++ b/tests/TESTLIST @@ -546,6 +546,7 @@ pim_header_asan-2 pim_header_asan-2.pcap pim_header_asan-2.out -v pim_header_asan-3 pim_header_asan-3.pcap pim_header_asan-3.out -v ip6_frag_asan ip6_frag_asan.pcap ip6_frag_asan.out -v radius_attr_asan radius_attr_asan.pcap radius_attr_asan.out -v +ospf6_decode_v3_asan ospf6_decode_v3_asan.pcap ospf6_decode_v3_asan.out -v # RTP tests # fuzzed pcap diff --git a/tests/ospf6_decode_v3_asan.out b/tests/ospf6_decode_v3_asan.out new file mode 100644 index 00000000..aef79e0a --- /dev/null +++ b/tests/ospf6_decode_v3_asan.out @@ -0,0 +1,2 @@ +IP6 (class 0x76, flowlabel 0xf6701, hlim 109, next-header OSPF (89) payload length: 30311) 6767:6780:6767:a102:4:b6:5853:f040 > 1000:a32:8847:1::116: OSPFv3, Hello, length 30311 + Router-ID 1.1.0.34, Area 0.255.2.2, Instance 82 [|ospf3] diff --git a/tests/ospf6_decode_v3_asan.pcap b/tests/ospf6_decode_v3_asan.pcap new file mode 100644 index 00000000..2d50b9c1 Binary files /dev/null and b/tests/ospf6_decode_v3_asan.pcap differ