From: Guy Harris Date: Fri, 3 Jul 2015 23:47:12 +0000 (-0700) Subject: CVE-2016-7975/Make sure we have the data offset field before fetching it. X-Git-Tag: tcpdump-4.9.0-bp~91 X-Git-Url: https://git.tcpdump.org/tcpdump/commitdiff_plain/ec88d36bcd0d6d0c706d9120183fc73e769a0ad5?hp=d9dbb118f2f9c09a8548a2b34a6573f611c0bcf7 CVE-2016-7975/Make sure we have the data offset field before fetching it. Fixes a heap overflow found with American Fuzzy Lop by Hanno Böck. --- diff --git a/print-tcp.c b/print-tcp.c index 3a89e8d3..f00ff325 100644 --- a/print-tcp.c +++ b/print-tcp.c @@ -189,8 +189,6 @@ tcp_print(netdissect_options *ndo, sport = EXTRACT_16BITS(&tp->th_sport); dport = EXTRACT_16BITS(&tp->th_dport); - hlen = TH_OFF(tp) * 4; - if (ip6) { if (ip6->ip6_nxt == IPPROTO_TCP) { ND_PRINT((ndo, "%s.%s > %s.%s: ", @@ -215,14 +213,16 @@ tcp_print(netdissect_options *ndo, } } + ND_TCHECK(*tp); + + hlen = TH_OFF(tp) * 4; + if (hlen < sizeof(*tp)) { ND_PRINT((ndo, " tcp %d [bad hdr length %u - too short, < %lu]", length - hlen, hlen, (unsigned long)sizeof(*tp))); return; } - ND_TCHECK(*tp); - seq = EXTRACT_32BITS(&tp->th_seq); ack = EXTRACT_32BITS(&tp->th_ack); win = EXTRACT_16BITS(&tp->th_win); diff --git a/tests/TESTLIST b/tests/TESTLIST index 9ec01426..15c50104 100644 --- a/tests/TESTLIST +++ b/tests/TESTLIST @@ -385,3 +385,4 @@ radiotap-heapoverflow radiotap-heapoverflow.pcap radiotap-heapoverflow.out -t -v isoclns-heapoverflow isoclns-heapoverflow.pcap isoclns-heapoverflow.out -t -v -n tcp-auth-heapoverflow tcp-auth-heapoverflow.pcap tcp-auth-heapoverflow.out -t -v -n atm-oam-heapoverflow atm-oam-heapoverflow.pcap atm-oam-heapoverflow.out -t -v -n +tcp_header_heapoverflow tcp_header_heapoverflow.pcap tcp_header_heapoverflow.out -t -v -n diff --git a/tests/tcp_header_heapoverflow.out b/tests/tcp_header_heapoverflow.out new file mode 100644 index 00000000..0f830aba --- /dev/null +++ b/tests/tcp_header_heapoverflow.out @@ -0,0 +1,2 @@ +IP (tos 0x30, ttl 48, id 12336, offset 0, flags [none], proto TCP (6), length 12336, bad cksum 3030 (->69a8)!) + 48.48.48.48.12336 > 48.48.48.48.12336: [|tcp] diff --git a/tests/tcp_header_heapoverflow.pcap b/tests/tcp_header_heapoverflow.pcap new file mode 100644 index 00000000..54719963 Binary files /dev/null and b/tests/tcp_header_heapoverflow.pcap differ