From: Francois-Xavier Le Bail <devel.fx.lebail@orange.fr>
Date: Tue, 17 Oct 2017 19:56:46 +0000 (+0200)
Subject: (for 4.9.3) CVE-2018-14464/LMP: Add a missing bounds check
X-Git-Tag: tcpdump-4.9.3~74
X-Git-Url: https://git.tcpdump.org/tcpdump/commitdiff_plain/d97e94223720684c6aa740ff219e0d19426c2220

(for 4.9.3) CVE-2018-14464/LMP: Add a missing bounds check

In lmp_print_data_link_subobjs().

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s).
---

diff --git a/print-lmp.c b/print-lmp.c
index 2edbb581..ee126a01 100644
--- a/print-lmp.c
+++ b/print-lmp.c
@@ -399,6 +399,7 @@ lmp_print_data_link_subobjs(netdissect_options *ndo, const u_char *obj_tptr,
 			"Unknown",
 			EXTRACT_8BITS(obj_tptr + offset + 3)),
 			EXTRACT_8BITS(obj_tptr + offset + 3)));
+	    ND_TCHECK_32BITS(obj_tptr + offset + 4);
 	    bw.i = EXTRACT_32BITS(obj_tptr+offset+4);
 	    ND_PRINT((ndo, "\n\t      Min Reservable Bandwidth: %.3f Mbps",
                 bw.f*8/1000000));
@@ -419,6 +420,8 @@ lmp_print_data_link_subobjs(netdissect_options *ndo, const u_char *obj_tptr,
 	offset+=subobj_len;
     }
     return (hexdump);
+trunc:
+    return -1;
 }
 
 void
@@ -429,7 +432,7 @@ lmp_print(netdissect_options *ndo,
     const struct lmp_object_header *lmp_obj_header;
     const u_char *tptr,*obj_tptr;
     u_int tlen,lmp_obj_len,lmp_obj_ctype,obj_tlen;
-    int hexdump;
+    int hexdump, ret;
     u_int offset;
     u_int link_type;
 
@@ -731,7 +734,10 @@ lmp_print(netdissect_options *ndo,
                        ipaddr_string(ndo, obj_tptr+8),
                        EXTRACT_32BITS(obj_tptr+8)));
 
-		if (lmp_print_data_link_subobjs(ndo, obj_tptr, obj_tlen - 12, 12))
+		ret = lmp_print_data_link_subobjs(ndo, obj_tptr, obj_tlen - 12, 12);
+		if (ret == -1)
+		    goto trunc;
+		if (ret == TRUE)
 		    hexdump=TRUE;
 		break;
 
@@ -751,7 +757,10 @@ lmp_print(netdissect_options *ndo,
                        ip6addr_string(ndo, obj_tptr+20),
                        EXTRACT_32BITS(obj_tptr+20)));
 
-		if (lmp_print_data_link_subobjs(ndo, obj_tptr, obj_tlen - 36, 36))
+		ret = lmp_print_data_link_subobjs(ndo, obj_tptr, obj_tlen - 36, 36);
+		if (ret == -1)
+		    goto trunc;
+		if (ret == TRUE)
 		    hexdump=TRUE;
 		break;
 
@@ -771,7 +780,10 @@ lmp_print(netdissect_options *ndo,
                        EXTRACT_32BITS(obj_tptr+8),
                        EXTRACT_32BITS(obj_tptr+8)));
 
-		if (lmp_print_data_link_subobjs(ndo, obj_tptr, obj_tlen - 12, 12))
+		ret = lmp_print_data_link_subobjs(ndo, obj_tptr, obj_tlen - 12, 12);
+		if (ret == -1)
+		    goto trunc;
+		if (ret == TRUE)
 		    hexdump=TRUE;
 		break;
 
diff --git a/tests/TESTLIST b/tests/TESTLIST
index 5d379ea4..6ea71af1 100644
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -560,6 +560,7 @@ vrrp-vrrp_print-oobr vrrp-vrrp_print-oobr.pcap vrrp-vrrp_print-oobr.out -v -c3
 vrrp-vrrp_print-oobr-2 vrrp-vrrp_print-oobr-2.pcap vrrp-vrrp_print-oobr-2.out -v
 bgp-bgp_capabilities_print-oobr-1 bgp-bgp_capabilities_print-oobr-1.pcap bgp-bgp_capabilities_print-oobr-1.out -v -c1
 bgp-bgp_capabilities_print-oobr-2 bgp-bgp_capabilities_print-oobr-2.pcap bgp-bgp_capabilities_print-oobr-2.out -v -c1
+lmp-lmp_print_data_link_subobjs-oobr lmp-lmp_print_data_link_subobjs-oobr.pcap lmp-lmp_print_data_link_subobjs-oobr.out -v -c2
 # The .pcap file is truncated after the 1st packet.
 hncp_dhcpv6data-oobr	hncp_dhcpv6data-oobr.pcap	hncp_dhcpv6data-oobr.out -v -c1
 hncp_dhcpv4data-oobr	hncp_dhcpv4data-oobr.pcap	hncp_dhcpv4data-oobr.out -v -c1
diff --git a/tests/lmp-lmp_print_data_link_subobjs-oobr.out b/tests/lmp-lmp_print_data_link_subobjs-oobr.out
new file mode 100644
index 00000000..6709b26b
--- /dev/null
+++ b/tests/lmp-lmp_print_data_link_subobjs-oobr.out
@@ -0,0 +1,22 @@
+IP (tos 0xfd,ECT(1), ttl 254, id 45839, offset 0, flags [+, DF, rsvd], proto UDP (17), length 56871, bad cksum fe07 (->ddf0)!)
+    17.8.8.255.701 > 40.184.42.8.12: 
+	LMPv1, msg-type: unknown, type: 249, Flags: [none], length: 212
+	  Data Link Object (12), Class-Type: Unnumbered (3) Flags: [non-negotiable], length: 20
+	    Flags: [none]
+	    Local Interface ID: 2435832538 (0x912fdada)
+	    Remote Interface ID: 3657433088 (0xda000000)
+	    Subobject, Type: Interface Switching Type (1), Length: 4
+	      Switching Type: Unknown (0)
+	      Encoding Type: Unknown (0)
+		 packet exceeded snapshot
+IP (tos 0xfd,ECT(1), ttl 254, id 45839, offset 0, flags [+, DF, rsvd], proto UDP (17), length 56871, bad cksum fe07 (->ddf0)!)
+    17.8.8.255.701 > 40.184.42.8.12: 
+	LMPv1, msg-type: unknown, type: 249, Flags: [none], length: 212
+	  Data Link Object (12), Class-Type: Unnumbered (3) Flags: [non-negotiable], length: 20
+	    Flags: [none]
+	    Local Interface ID: 2435832538 (0x912fdada)
+	    Remote Interface ID: 3657433088 (0xda000000)
+	    Subobject, Type: Interface Switching Type (1), Length: 4
+	      Switching Type: Unknown (0)
+	      Encoding Type: Unknown (0)
+		 packet exceeded snapshot
diff --git a/tests/lmp-lmp_print_data_link_subobjs-oobr.pcap b/tests/lmp-lmp_print_data_link_subobjs-oobr.pcap
new file mode 100644
index 00000000..d1a6ad99
Binary files /dev/null and b/tests/lmp-lmp_print_data_link_subobjs-oobr.pcap differ