From: Guy Harris Date: Mon, 6 Feb 2017 19:24:42 +0000 (-0800) Subject: CVE-2017-12987/IEEE 802.11: Fix processing of TIM IE. X-Git-Tag: tcpdump-4.99-bp~1969 X-Git-Url: https://git.tcpdump.org/tcpdump/commitdiff_plain/99798bd9a41bd3d03fdc1e949810a38967f20ed3?ds=inline CVE-2017-12987/IEEE 802.11: Fix processing of TIM IE. The arguments to memcpy() were completely wrong. This fixes a buffer over-read discovered by Kamil Frankowicz. Add a test using the capture file supplied by Brian 'geeknik' Carpenter. --- diff --git a/print-802_11.c b/print-802_11.c index 1bbe47ac..17c1f70c 100644 --- a/print-802_11.c +++ b/print-802_11.c @@ -1189,8 +1189,7 @@ parse_elements(netdissect_options *ndo, offset += 3; length -= 3; - memcpy(tim.bitmap, p + (tim.length - 3), - (tim.length - 3)); + memcpy(tim.bitmap, p + offset + 3, tim.length - 3); offset += tim.length - 3; length -= tim.length - 3; /* diff --git a/tests/TESTLIST b/tests/TESTLIST index 0829e90d..bfd58991 100644 --- a/tests/TESTLIST +++ b/tests/TESTLIST @@ -435,6 +435,7 @@ atm-heapoverflow atm-heapoverflow.pcap atm-heapoverflow.out -c1 -e ipv6-next-header-oobr-1 ipv6-next-header-oobr-1.pcap ipv6-next-header-oobr-1.out ipv6-next-header-oobr-2 ipv6-next-header-oobr-2.pcap ipv6-next-header-oobr-2.out ipv6-rthdr-oobr ipv6-rthdr-oobr.pcap ipv6-rthdr-oobr.out +ieee802.11_tim_ie_oobr ieee802.11_tim_ie_oobr.pcap ieee802.11_tim_ie_oobr.out # bad packets from Kamil Frankowicz snmp-heapoverflow-1 snmp-heapoverflow-1.pcap snmp-heapoverflow-1.out diff --git a/tests/ieee802.11_tim_ie_oobr.out b/tests/ieee802.11_tim_ie_oobr.out new file mode 100644 index 00000000..52686837 --- /dev/null +++ b/tests/ieee802.11_tim_ie_oobr.out @@ -0,0 +1,4 @@ +ReAssoc Response AID(3030) : PRIVACY : n/a[|802.11] +ReAssoc Response AID(3030) : PRIVACY : n/a[|802.11] +[|802.11] +ReAssoc Response AID(3030) : PRIVACY : n/a[|802.11] diff --git a/tests/ieee802.11_tim_ie_oobr.pcap b/tests/ieee802.11_tim_ie_oobr.pcap new file mode 100644 index 00000000..bb05c81f Binary files /dev/null and b/tests/ieee802.11_tim_ie_oobr.pcap differ