From: Guy Harris <guy@alum.mit.edu>
Date: Sun, 19 Feb 2017 22:19:32 +0000 (-0800)
Subject: CVE-2017-13002/AODV: Add some missing bounds checks.
X-Git-Tag: tcpdump-4.99-bp~1939
X-Git-Url: https://git.tcpdump.org/tcpdump/commitdiff_plain/cbddb98484ea8ec1deece351abd56e063d775b38

CVE-2017-13002/AODV: Add some missing bounds checks.

In aodv_extension() do a bounds check on the extension header before we
look at it.

This fixes a buffer over-read discovered by Kamil Frankowicz.

Add a test using the capture file supplied by the reporter(s).

While we're at it, add the RFC number, and check the validity of the
length for the Hello extension.
---

diff --git a/print-aodv.c b/print-aodv.c
index 6cd0c9ea..fe75db86 100644
--- a/print-aodv.c
+++ b/print-aodv.c
@@ -42,7 +42,9 @@
 #include "addrtoname.h"
 #include "extract.h"
 
-
+/*
+ * RFC 3561
+ */
 struct aodv_rreq {
 	uint8_t		rreq_type;	/* AODV message type (1) */
 	uint8_t		rreq_flags;	/* various flags */
@@ -178,12 +180,17 @@ aodv_extension(netdissect_options *ndo,
 {
 	const struct aodv_hello *ah;
 
+	ND_TCHECK(*ep);
 	switch (ep->type) {
 	case AODV_EXT_HELLO:
 		ah = (const struct aodv_hello *)(const void *)ep;
 		ND_TCHECK(*ah);
 		if (length < sizeof(struct aodv_hello))
 			goto trunc;
+		if (ep->length < 4) {
+			ND_PRINT((ndo, "\n\text HELLO - bad length %u", ep->length));
+			break;
+		}
 		ND_PRINT((ndo, "\n\text HELLO %ld ms",
 		    (unsigned long)EXTRACT_32BITS(&ah->interval)));
 		break;
diff --git a/tests/TESTLIST b/tests/TESTLIST
index 5d164a6b..358b5c27 100644
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -459,6 +459,7 @@ hoobr_chdlc_print	hoobr_chdlc_print.pcap		hoobr_chdlc_print.out
 hoobr_lookup_nsap	hoobr_lookup_nsap.pcap		hoobr_lookup_nsap.out
 hoobr_rt6_print		hoobr_rt6_print.pcap		hoobr_rt6_print.out
 hoobr_nfs_printfh	hoobr_nfs_printfh.pcap		hoobr_nfs_printfh.out
+hoobr_aodv_extension	hoobr_aodv_extension.pcap	hoobr_aodv_extension.out
 
 # bad packets from Wilfried Kirsch
 slip-bad-direction	slip-bad-direction.pcap		slip-bad-direction.out	-ve
diff --git a/tests/hoobr_aodv_extension.out b/tests/hoobr_aodv_extension.out
new file mode 100644
index 00000000..79c81f56
--- /dev/null
+++ b/tests/hoobr_aodv_extension.out
@@ -0,0 +1,2 @@
+IP 48.48.48.48.654 > 48.48.48.48.12336:  aodv rrep 12308  prefix 16 hops 48
+	dst 48.48.48.48 dseq 808464432 src 48.48.48.48 808464432 ms [|hello]
diff --git a/tests/hoobr_aodv_extension.pcap b/tests/hoobr_aodv_extension.pcap
new file mode 100644
index 00000000..b02ab050
Binary files /dev/null and b/tests/hoobr_aodv_extension.pcap differ