From: Denis Ovsienko <denis@ovsienko.info>
Date: Thu, 3 Aug 2017 21:34:44 +0000 (+0100)
Subject: CVE-2017-13046/BGP: fix an existing bounds check for PMSI Tunnel
X-Git-Tag: tcpdump-4.9.2~18
X-Git-Url: https://git.tcpdump.org/tcpdump/commitdiff_plain/75635529a8b4a6a29abda47b13ef7dfb2c18a3f3

CVE-2017-13046/BGP: fix an existing bounds check for PMSI Tunnel

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s).
---

diff --git a/print-bgp.c b/print-bgp.c
index 45f84469..3ee80c3d 100644
--- a/print-bgp.c
+++ b/print-bgp.c
@@ -2118,11 +2118,11 @@ bgp_attr_print(netdissect_options *ndo,
         {
                 uint8_t tunnel_type, flags;
 
+                ND_TCHECK2(tptr[0], 5);
                 tunnel_type = *(tptr+1);
                 flags = *tptr;
                 tlen = len;
 
-                ND_TCHECK2(tptr[0], 5);
                 ND_PRINT((ndo, "\n\t    Tunnel-type %s (%u), Flags [%s], MPLS Label %u",
                        tok2str(bgp_pmsi_tunnel_values, "Unknown", tunnel_type),
                        tunnel_type,
diff --git a/tests/TESTLIST b/tests/TESTLIST
index 763374a2..2de9e934 100644
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -560,6 +560,7 @@ hncp_dhcpv6data-oobr	hncp_dhcpv6data-oobr.pcap	hncp_dhcpv6data-oobr.out -v -c1
 # Same comments apply to the case below.
 hncp_dhcpv4data-oobr	hncp_dhcpv4data-oobr.pcap	hncp_dhcpv4data-oobr.out -v -c1
 vqp-oobr		vqp-oobr.pcap			vqp-oobr.out		-v -c1
+bgp_pmsi_tunnel-oobr	bgp_pmsi_tunnel-oobr.pcap	bgp_pmsi_tunnel-oobr.out -v -c1
 
 # bad packets from Katie Holly
 mlppp-oobr		mlppp-oobr.pcap			mlppp-oobr.out
diff --git a/tests/bgp_pmsi_tunnel-oobr.out b/tests/bgp_pmsi_tunnel-oobr.out
new file mode 100644
index 00000000..3b73c7a6
--- /dev/null
+++ b/tests/bgp_pmsi_tunnel-oobr.out
@@ -0,0 +1,11 @@
+IP (tos 0x0, ttl 254, id 40207, offset 0, flags [+, DF, rsvd], proto TCP (6), length 296, bad cksum 8e15 (->3eaa)!)
+    241.0.32.19.179 > 239.0.0.1.0: Flags [none], seq 2146695561:2146695813, win 56026, options [unknown-161,eol], length 252: BGP
+	Update Message (2), length: 45
+	  Withdrawn routes: 3 bytes
+	  Attribute Set (128), length: 7, Flags [OTPE+f]: 
+	    Origin AS: 4067
+	      Origin (1), length: 1EGP
+	      Unknown Attribute (19), length: 1, Flags [+1]: 
+	    no Attribute 19 decoder
+	    0x0000:  01
+	      PMSI Tunnel (22), length: 1, Flags [+1]: [|BGP]
diff --git a/tests/bgp_pmsi_tunnel-oobr.pcap b/tests/bgp_pmsi_tunnel-oobr.pcap
new file mode 100644
index 00000000..33cf660c
Binary files /dev/null and b/tests/bgp_pmsi_tunnel-oobr.pcap differ