From: Denis Ovsienko Date: Fri, 4 Aug 2017 16:15:07 +0000 (+0100) Subject: CVE-2017-13049/Rx: add a missing bounds check for Ubik X-Git-Tag: tcpdump-4.9.2~16 X-Git-Url: https://git.tcpdump.org/tcpdump/commitdiff_plain/f9812af2e4111c12a62355ea3dfdfa58f1cab6a9?hp=89dd93b636d479d82dd15115d6ddf7dfdebd735a CVE-2017-13049/Rx: add a missing bounds check for Ubik One of the case blocks in ubik_print() didn't check bounds before fetching 32 bits of packet data and could overread past the captured packet data by that amount. This fixes a buffer over-read discovered by Henri Salo from Nixu Corporation. Add a test using the capture file supplied by the reporter(s). --- diff --git a/print-rx.c b/print-rx.c index ea3a5e67..30528e99 100644 --- a/print-rx.c +++ b/print-rx.c @@ -2577,6 +2577,7 @@ ubik_print(netdissect_options *ndo, INTOUT(); ND_PRINT((ndo, " length")); INTOUT(); + ND_TCHECK_32BITS(bp); temp = EXTRACT_32BITS(bp); bp += sizeof(int32_t); tok2str(ubik_lock_types, "type %d", temp); diff --git a/tests/TESTLIST b/tests/TESTLIST index 80c5c147..af22ccce 100644 --- a/tests/TESTLIST +++ b/tests/TESTLIST @@ -570,6 +570,9 @@ mlppp-oobr mlppp-oobr.pcap mlppp-oobr.out mptcp-dss-oobr mptcp-dss-oobr.pcap mptcp-dss-oobr.out -v icmp6_nodeinfo_oobr icmp6_nodeinfo_oobr.pcap icmp6_nodeinfo_oobr.out +# bad packets from Henri Salo +rx_ubik-oobr rx_ubik-oobr.pcap rx_ubik-oobr.out -c1 + # RTP tests # fuzzed pcap rtp-seg-fault-1 rtp-seg-fault-1.pcap rtp-seg-fault-1.out -v -T rtp diff --git a/tests/rx_ubik-oobr.out b/tests/rx_ubik-oobr.out new file mode 100644 index 00000000..f192432d --- /dev/null +++ b/tests/rx_ubik-oobr.out @@ -0,0 +1 @@ +IP truncated-ip - 2598 bytes missing! 222.241.104.198.3503 > 131.63.241.146.7002: rx data pt ubik call disk-lock tid 50266112.32382 file 2122216448 pos 545160708 length 1087685554 [|ubik] (2632) diff --git a/tests/rx_ubik-oobr.pcap b/tests/rx_ubik-oobr.pcap new file mode 100644 index 00000000..69caac90 Binary files /dev/null and b/tests/rx_ubik-oobr.pcap differ