From: Francois-Xavier Le Bail <devel.fx.lebail@orange.fr>
Date: Fri, 3 Nov 2017 15:32:30 +0000 (+0100)
Subject: (for 4.9.3) CVE-2018-14882/ICMP6 RPL: Add a missing bounds check
X-Git-Tag: tcpdump-4.9.3~67
X-Git-Url: https://git.tcpdump.org/tcpdump/commitdiff_plain/d7505276842e85bfd067fa21cdb32b8a2dc3c5e4?hp=e01c9bf76740802025c9328901b55ee4a0c49ed6

(for 4.9.3) CVE-2018-14882/ICMP6 RPL: Add a missing bounds check

Moreover:
Add and use *_tstr[] strings.
Update four tests outputs accordingly.
Fix a space.

Wang Junjie of 360 ESG Codesafe Team had independently identified this
vulnerability in 2018 by means of fuzzing and provided the packet capture
file for the test.
---

diff --git a/print-icmp6.c b/print-icmp6.c
index b3b975e7..5cef0efa 100644
--- a/print-icmp6.c
+++ b/print-icmp6.c
@@ -41,6 +41,10 @@
 #include "udp.h"
 #include "ah.h"
 
+static const char icmp6_tstr[] = " [|icmp6]";
+static const char rpl_tstr[] = " [|rpl]";
+static const char mldv2_tstr[] = " [|mldv2]";
+
 /*	NetBSD: icmp6.h,v 1.13 2000/08/03 16:30:37 itojun Exp 	*/
 /*	$KAME: icmp6.h,v 1.22 2000/08/03 15:25:16 jinmei Exp $	*/
 
@@ -683,10 +687,11 @@ rpl_dio_printopt(netdissect_options *ndo,
                 }
                 opt = (const struct rpl_dio_genoption *)(((const char *)opt) + optlen);
                 length -= optlen;
+                ND_TCHECK(opt->rpl_dio_len);
         }
         return;
 trunc:
-	ND_PRINT((ndo," [|truncated]"));
+	ND_PRINT((ndo, "%s", rpl_tstr));
 	return;
 }
 
@@ -715,7 +720,7 @@ rpl_dio_print(netdissect_options *ndo,
         }
 	return;
 trunc:
-	ND_PRINT((ndo," [|truncated]"));
+	ND_PRINT((ndo, "%s", rpl_tstr));
 	return;
 }
 
@@ -756,7 +761,7 @@ rpl_dao_print(netdissect_options *ndo,
 	return;
 
 trunc:
-	ND_PRINT((ndo," [|truncated]"));
+	ND_PRINT((ndo, "%s", rpl_tstr));
 	return;
 
 tooshort:
@@ -800,7 +805,7 @@ rpl_daoack_print(netdissect_options *ndo,
 	return;
 
 trunc:
-	ND_PRINT((ndo," [|dao-truncated]"));
+	ND_PRINT((ndo, "%s", rpl_tstr));
 	return;
 
 tooshort:
@@ -859,7 +864,7 @@ rpl_print(netdissect_options *ndo,
 
 #if 0
 trunc:
-	ND_PRINT((ndo," [|truncated]"));
+	ND_PRINT((ndo, "%s", rpl_tstr));
 	return;
 #endif
 
@@ -1157,7 +1162,7 @@ icmp6_print(netdissect_options *ndo,
                 ND_PRINT((ndo,", length %u", length));
 	return;
 trunc:
-	ND_PRINT((ndo, "[|icmp6]"));
+	ND_PRINT((ndo, "%s", icmp6_tstr));
 }
 
 static const struct udphdr *
@@ -1381,8 +1386,8 @@ icmp6_opt_print(netdissect_options *ndo, const u_char *bp, int resid)
 	}
 	return;
 
- trunc:
-	ND_PRINT((ndo, "[ndp opt]"));
+trunc:
+	ND_PRINT((ndo, "%s", icmp6_tstr));
 	return;
 #undef ECHECK
 }
@@ -1457,7 +1462,7 @@ mldv2_report_print(netdissect_options *ndo, const u_char *bp, u_int len)
     }
     return;
 trunc:
-    ND_PRINT((ndo,"[|icmp6]"));
+    ND_PRINT((ndo, "%s", mldv2_tstr));
     return;
 }
 
@@ -1523,7 +1528,7 @@ mldv2_query_print(netdissect_options *ndo, const u_char *bp, u_int len)
     ND_PRINT((ndo,"]"));
     return;
 trunc:
-    ND_PRINT((ndo,"[|icmp6]"));
+    ND_PRINT((ndo, "%s", mldv2_tstr));
     return;
 }
 
@@ -1810,7 +1815,7 @@ icmp6_nodeinfo_print(netdissect_options *ndo, u_int icmp6len, const u_char *bp,
 	return;
 
 trunc:
-	ND_PRINT((ndo, "[|icmp6]"));
+	ND_PRINT((ndo, "%s", icmp6_tstr));
 }
 
 static void
@@ -1945,7 +1950,7 @@ icmp6_rrenum_print(netdissect_options *ndo, const u_char *bp, const u_char *ep)
 	return;
 
 trunc:
-	ND_PRINT((ndo,"[|icmp6]"));
+	ND_PRINT((ndo, "%s", icmp6_tstr));
 }
 
 /*
diff --git a/tests/TESTLIST b/tests/TESTLIST
index a0bdabc3..9d96d29e 100644
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -598,6 +598,7 @@ babel_update_oobr	babel_update_oobr.pcap	babel_update_oobr.out	-c 52
 
 # bad packets from Junjie Wang
 ospf6_print_lshdr-oobr	ospf6_print_lshdr-oobr.pcapng	ospf6_print_lshdr-oobr.out	-vv -c15
+rpl-dao-oobr		rpl-dao-oobr.pcapng		rpl-dao-oobr.out		-vv -c1
 
 # RTP tests
 # fuzzed pcap
diff --git a/tests/icmp6_mobileprefix_asan.out b/tests/icmp6_mobileprefix_asan.out
index 0e0d97c3..889b1c8e 100644
--- a/tests/icmp6_mobileprefix_asan.out
+++ b/tests/icmp6_mobileprefix_asan.out
@@ -1,2 +1,2 @@
-IP6 (class 0x50, flowlabel 0x0002c, hlim 0, next-header ICMPv6 (58) payload length: 7168) 4f:f829:c:1a1a:1a1a:1a1a:1a37:0 > 16:0:400:0:64fb:9303:f293:8200: ICMP6, mobile router advertisement, length 7168, id 0x9393[|icmp6]
+IP6 (class 0x50, flowlabel 0x0002c, hlim 0, next-header ICMPv6 (58) payload length: 7168) 4f:f829:c:1a1a:1a1a:1a1a:1a37:0 > 16:0:400:0:64fb:9303:f293:8200: ICMP6, mobile router advertisement, length 7168, id 0x9393 [|icmp6]
 [|ether]
diff --git a/tests/icmp6_nodeinfo_oobr.out b/tests/icmp6_nodeinfo_oobr.out
index 0856ea2f..19db749f 100644
--- a/tests/icmp6_nodeinfo_oobr.out
+++ b/tests/icmp6_nodeinfo_oobr.out
@@ -1 +1 @@
-IP6 a072:7f00:1:7f00:1:e01a:17:6785 > c903::a002:8018:fe30:0:204: ICMP6, who-are-you reply[|icmp6], length 4
+IP6 a072:7f00:1:7f00:1:e01a:17:6785 > c903::a002:8018:fe30:0:204: ICMP6, who-are-you reply [|icmp6], length 4
diff --git a/tests/rpl-19-pickdag.out b/tests/rpl-19-pickdag.out
index d3c41eed..08899db0 100644
--- a/tests/rpl-19-pickdag.out
+++ b/tests/rpl-19-pickdag.out
@@ -1 +1 @@
-IP6 (hlim 64, next-header ICMPv6 (58) payload length: 56) fe80::216:3eff:fe11:3424 > fe80::216:3eff:fe11:3424: [icmp6 sum ok] ICMP6, RPL, (CLR)Destination Advertisement Object [dagid:5431::,seq:10,instance:42,Dagid,40] opt:rpltarget len:25  opt:pad0 opt:pad0 opt:pad0 opt:pad0 opt:pad0 opt:pad0 opt:pad0
+IP6 (hlim 64, next-header ICMPv6 (58) payload length: 56) fe80::216:3eff:fe11:3424 > fe80::216:3eff:fe11:3424: [icmp6 sum ok] ICMP6, RPL, (CLR)Destination Advertisement Object [dagid:5431::,seq:10,instance:42,Dagid,40] opt:rpltarget len:25  opt:pad0 opt:pad0 opt:pad0 opt:pad0 opt:pad0 opt:pad0 [|rpl]
diff --git a/tests/rpl-19-pickdagvvv.out b/tests/rpl-19-pickdagvvv.out
index deee0331..3db38343 100644
--- a/tests/rpl-19-pickdagvvv.out
+++ b/tests/rpl-19-pickdagvvv.out
@@ -1 +1 @@
-IP6 (hlim 64, next-header ICMPv6 (58) payload length: 56) fe80::216:3eff:fe11:3424 > fe80::216:3eff:fe11:3424: [icmp6 sum ok] ICMP6, RPL, (CLR)Destination Advertisement Object [dagid:5431::,seq:10,instance:42,Dagid,40] opt:rpltarget len:25  0x0000:  0080 2001 0db8 0001 0000 0216 3eff fe11 0x0010:  3424 0000 0000 00 opt:pad0 opt:pad0 opt:pad0 opt:pad0 opt:pad0 opt:pad0 opt:pad0
+IP6 (hlim 64, next-header ICMPv6 (58) payload length: 56) fe80::216:3eff:fe11:3424 > fe80::216:3eff:fe11:3424: [icmp6 sum ok] ICMP6, RPL, (CLR)Destination Advertisement Object [dagid:5431::,seq:10,instance:42,Dagid,40] opt:rpltarget len:25  0x0000:  0080 2001 0db8 0001 0000 0216 3eff fe11 0x0010:  3424 0000 0000 00 opt:pad0 opt:pad0 opt:pad0 opt:pad0 opt:pad0 opt:pad0 [|rpl]
diff --git a/tests/rpl-dao-oobr.out b/tests/rpl-dao-oobr.out
new file mode 100644
index 00000000..e410ee1a
--- /dev/null
+++ b/tests/rpl-dao-oobr.out
@@ -0,0 +1 @@
+IP6 (hlim 64, next-header ICMPv6 (58) payload length: 56) fe80::216:3eff:fe11:3424 > fe80::216:3eff:fe11:3424: ICMP6, RPL, (CLR)Destination Advertisement Object [dagid:<elided>,seq:0,instance:42,00] opt:subopt:13 len:2  opt:subopt:128 len:15  opt:subopt:13 len:15  [|rpl]
diff --git a/tests/rpl-dao-oobr.pcapng b/tests/rpl-dao-oobr.pcapng
new file mode 100644
index 00000000..39e95a7e
Binary files /dev/null and b/tests/rpl-dao-oobr.pcapng differ