From: Guy Harris <guy@alum.mit.edu>
Date: Thu, 16 Mar 2017 18:25:40 +0000 (-0700)
Subject: CVE-2017-13014/White Board: Do more bounds checks.
X-Git-Tag: tcpdump-4.99-bp~1919
X-Git-Url: https://git.tcpdump.org/tcpdump/commitdiff_plain/cc356512f512e7fa423b3674db4bb31dbe40ffec?ds=inline

CVE-2017-13014/White Board: Do more bounds checks.

This fixes a buffer over-read discovered by Yannick Formaggio.

Add a test using the capture file supplied by the reporter(s).

While we're at it, print a truncation error if the packets are
truncated, rather than just, in effect, ignoring the result of the
routines that print particular packet types.
---

diff --git a/print-wb.c b/print-wb.c
index 88857d96..c0df48d7 100644
--- a/print-wb.c
+++ b/print-wb.c
@@ -263,9 +263,8 @@ wb_prep(netdissect_options *ndo,
 	const u_char *ep = ndo->ndo_snapend;
 
 	ND_PRINT((ndo, " wb-prep:"));
-	if (len < sizeof(*prep)) {
+	if (len < sizeof(*prep) || !ND_TTEST(*prep))
 		return (-1);
-	}
 	n = EXTRACT_32BITS(&prep->pp_n);
 	ps = (const struct pgstate *)(prep + 1);
 	while (--n >= 0 && ND_TTEST(*ps)) {
@@ -419,31 +418,37 @@ wb_print(netdissect_options *ndo,
 	case PT_ID:
 		if (wb_id(ndo, (const struct pkt_id *)(ph + 1), len) >= 0)
 			return;
+		ND_PRINT((ndo, "%s", tstr));
 		break;
 
 	case PT_RREQ:
 		if (wb_rreq(ndo, (const struct pkt_rreq *)(ph + 1), len) >= 0)
 			return;
+		ND_PRINT((ndo, "%s", tstr));
 		break;
 
 	case PT_RREP:
 		if (wb_rrep(ndo, (const struct pkt_rrep *)(ph + 1), len) >= 0)
 			return;
+		ND_PRINT((ndo, "%s", tstr));
 		break;
 
 	case PT_DRAWOP:
 		if (wb_drawop(ndo, (const struct pkt_dop *)(ph + 1), len) >= 0)
 			return;
+		ND_PRINT((ndo, "%s", tstr));
 		break;
 
 	case PT_PREQ:
 		if (wb_preq(ndo, (const struct pkt_preq *)(ph + 1), len) >= 0)
 			return;
+		ND_PRINT((ndo, "%s", tstr));
 		break;
 
 	case PT_PREP:
 		if (wb_prep(ndo, (const struct pkt_prep *)(ph + 1), len) >= 0)
 			return;
+		ND_PRINT((ndo, "%s", tstr));
 		break;
 
 	default:
diff --git a/tests/TESTLIST b/tests/TESTLIST
index d69e9405..b16737cf 100644
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -506,6 +506,7 @@ juniper_es		juniper_es.pcap			juniper_es.out	-vvv -e
 # bad packets from Yannick Formaggio
 l2tp-avp-overflow	l2tp-avp-overflow.pcap		l2tp-avp-overflow.out	-v
 pktap-heap-overflow	pktap-heap-overflow.pcap	pktap-heap-overflow.out	-v
+wb-oobr			wb-oobr.pcap			wb-oobr.out	-v
 
 # bad packets from Bhargava Shastry
 lldp_asan		lldp_asan.pcap			lldp_asan.out	-v
diff --git a/tests/wb-oobr.out b/tests/wb-oobr.out
new file mode 100644
index 00000000..9f00e37d
--- /dev/null
+++ b/tests/wb-oobr.out
@@ -0,0 +1,18 @@
+MPLS (label 197376, exp 7, [S], ttl 48)
+	IP (tos 0x30, ttl 48, id 12336, offset 0, flags [none], proto UDP (17), length 12336, bad cksum 3030 (->7754)!)
+    48.4.4.4.4400 > 127.0.0.1.3503: 
+		 packet exceeded snapshot
+IP (tos 0x30, ttl 48, id 12336, offset 0, flags [none], proto UDP (17), length 12336, bad cksum 3030 (->699d)!)
+    48.48.48.48.3503 > 48.48.48.48.4567: * wb-prep:[|wb]
+MPLS (label 197376, exp 7, [S], ttl 48)
+	IP (tos 0x30, ttl 48, id 12336, offset 0, flags [none], proto UDP (17), length 12336, bad cksum 3030 (->699d)!)
+    48.48.48.48.4400 > 48.48.48.48.3503: 
+		 packet exceeded snapshot
+IP (tos 0x30, ttl 48, id 12336, offset 0, flags [none], proto UDP (17), length 12336, bad cksum 3030 (->c624)!)
+    48.48.0.1.3503 > 48.4.4.4.4567: * wb-prep:[|wb]
+MPLS (label 197376, exp 7, [S], ttl 48)
+	IP (tos 0x30, ttl 48, id 12336, offset 0, flags [none], proto UDP (17), length 12336, bad cksum 3030 (->7754)!)
+    48.4.4.4.4400 > 127.0.0.1.3503: 
+		 packet exceeded snapshot
+IP (tos 0x30, ttl 48, id 12336, offset 0, flags [none], proto UDP (17), length 12336, bad cksum 3030 (->c624)!)
+    48.48.0.1.3503 > 48.4.4.4.4567: * wb-prep:[|wb]
diff --git a/tests/wb-oobr.pcap b/tests/wb-oobr.pcap
new file mode 100644
index 00000000..577b1a0f
Binary files /dev/null and b/tests/wb-oobr.pcap differ