From 192fabf4bd08e17b4be6f0283508b19adfa08afb Mon Sep 17 00:00:00 2001
From: Michael Richardson <mcr@sandelman.ca>
Date: Sun, 15 Feb 2015 21:22:11 -0500
Subject: [PATCH] test case for cve2015-0261 -- corrupted IPv6 mobility header

Author:    Michael Richardson <mcr@sandelman.ca>
---
 print-mobility.c              |  22 +++++++++++++++++++++-
 tests/TESTLIST                |  14 ++++++++++++++
 tests/cve2015-0261-crash.out  |   1 +
 tests/cve2015-0261-crash.pcap | Bin 0 -> 201 bytes
 tests/cve2015-0261-ipv6.out   |   1 +
 tests/cve2015-0261-ipv6.pcap  | Bin 0 -> 682 bytes
 6 files changed, 37 insertions(+), 1 deletion(-)
 create mode 100644 tests/cve2015-0261-crash.out
 create mode 100644 tests/cve2015-0261-crash.pcap
 create mode 100644 tests/cve2015-0261-ipv6.out
 create mode 100644 tests/cve2015-0261-ipv6.pcap

diff --git a/print-mobility.c b/print-mobility.c
index 83447cff..b6fa61e9 100644
--- a/print-mobility.c
+++ b/print-mobility.c
@@ -69,6 +69,18 @@ struct ip6_mobility {
 #define IP6M_BINDING_UPDATE	5	/* Binding Update */
 #define IP6M_BINDING_ACK	6	/* Binding Acknowledgement */
 #define IP6M_BINDING_ERROR	7	/* Binding Error */
+#define IP6M_MAX		7
+
+static const unsigned ip6m_hdrlen[IP6M_MAX + 1] = {
+	IP6M_MINLEN,      /* IP6M_BINDING_REQUEST  */
+	IP6M_MINLEN + 8,  /* IP6M_HOME_TEST_INIT   */
+	IP6M_MINLEN + 8,  /* IP6M_CAREOF_TEST_INIT */
+	IP6M_MINLEN + 16, /* IP6M_HOME_TEST        */
+	IP6M_MINLEN + 16, /* IP6M_CAREOF_TEST      */
+	IP6M_MINLEN + 4,  /* IP6M_BINDING_UPDATE   */
+	IP6M_MINLEN + 4,  /* IP6M_BINDING_ACK      */
+	IP6M_MINLEN + 16, /* IP6M_BINDING_ERROR    */
+};
 
 /* XXX: unused */
 #define IP6MOPT_BU_MINLEN	10
@@ -95,16 +107,20 @@ mobility_opt_print(netdissect_options *ndo,
 	unsigned i, optlen;
 
 	for (i = 0; i < len; i += optlen) {
+		ND_TCHECK(bp[i]);
 		if (bp[i] == IP6MOPT_PAD1)
 			optlen = 1;
 		else {
-			if (i + 1 < len)
+			if (i + 1 < len) {
+				ND_TCHECK(bp[i + 1]);
 				optlen = bp[i + 1] + 2;
+			}
 			else
 				goto trunc;
 		}
 		if (i + optlen > len)
 			goto trunc;
+		ND_TCHECK(bp[i + optlen]);
 
 		switch (bp[i]) {
 		case IP6MOPT_PAD1:
@@ -203,6 +219,10 @@ mobility_print(netdissect_options *ndo,
 
 	ND_TCHECK(mh->ip6m_type);
 	type = mh->ip6m_type;
+	if (type <= IP6M_MAX && mhlen < ip6m_hdrlen[type]) {
+		ND_PRINT((ndo, "(header length %u is too small for type %u)", mhlen, type));
+		goto trunc;
+	}
 	switch (type) {
 	case IP6M_BINDING_REQUEST:
 		ND_PRINT((ndo, "mobility: BRR"));
diff --git a/tests/TESTLIST b/tests/TESTLIST
index 472468c5..788d532d 100644
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -267,3 +267,17 @@ geneve-tcp	geneve.pcap		geneve-tcp.out	-t "geneve && tcp"
 # DHCP tests
 dhcp-rfc3004	dhcp-rfc3004.pcap	dhcp-rfc3004-v.out	-t -v
 dhcp-rfc5859	dhcp-rfc5859.pcap	dhcp-rfc5859-v.out	-t -v
+
+# bad packets from Kevin Day
+kday1           kday1.pcap              kday1.out       -t -v
+kday2           kday2.pcap              kday2.out       -t -v
+kday3           kday3.pcap              kday3.out       -t -v
+kday4           kday4.pcap              kday4.out       -t -v
+kday5           kday5.pcap              kday5.out       -t -v
+kday6           kday6.pcap              kday6.out       -t -v
+kday7           kday7.pcap              kday7.out       -t -v
+kday8           kday8.pcap              kday8.out       -t -v
+
+# bad packets from reversex86.
+cve2015-0261_01    cve2015-0261-ipv6.pcap       cve2015-0261-ipv6.out -t -v
+cve2015-0261_02    cve2015-0261-crash.pcap      cve2015-0261-crash.out -t -v
diff --git a/tests/cve2015-0261-crash.out b/tests/cve2015-0261-crash.out
new file mode 100644
index 00000000..1946280c
--- /dev/null
+++ b/tests/cve2015-0261-crash.out
@@ -0,0 +1 @@
+IP6 (class 0x03, flowlabel 0x03030, hlim 48, next-header Options (0) payload length: 12336) 3030:3030:3030:3030:3030:3030:3030:3030 > 130:3030:3030:3030:3030:3030:3030:3030: HBH [trunc] (header length 8 is too small for type 1)[|MOBILITY]
diff --git a/tests/cve2015-0261-crash.pcap b/tests/cve2015-0261-crash.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..c876c1ff7367664f8c530f67299cff7a455d5796
GIT binary patch
literal 201
zcmca|c+)}y5MTh4AO-^m1Ds>9kb!{#q5vijp%cIqLLE$&5ypVhb}%Ij=rU*uDdhqH
Dw^k-)

literal 0
HcmV?d00001

diff --git a/tests/cve2015-0261-ipv6.out b/tests/cve2015-0261-ipv6.out
new file mode 100644
index 00000000..5edcddac
--- /dev/null
+++ b/tests/cve2015-0261-ipv6.out
@@ -0,0 +1 @@
+EXIT CODE 00000100
diff --git a/tests/cve2015-0261-ipv6.pcap b/tests/cve2015-0261-ipv6.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..a8a32ba96b97b08762a5ca15ad1e9c75db015004
GIT binary patch
literal 682
zcmca|c+)~A1{MYw`2U}Qfdk07yim~Y!DJSOlR!2Ir(*+Y?bt+-#aRFUXGP|xV>i@D
zPU9s^8Q9Rl;0Bn35VSvnna;q#1`HN<AO-~&Cqq3050Hid1;t6i49h1)vMXQ)9X?YS
zaGJuvz~ohad#fa)B+w4VC2S1SrCAxS0AmSc<w7V9WMB_t%wrH>xN<f!f7L2xpfCr6
zD+5DMt_=f&gJ3}CvG`{qYa~<nI2f7#GgQdVtPbsZ4OGMk#Ml5(obfGC0wym9R>Z=d
z0HGDY6p;A;2f_lm4eU^}+f#1ww8Uf>$%%q=ixL6&G1O?h1es=}d_{mu@m~V~B3P+<

literal 0
HcmV?d00001

-- 
2.39.5