Skip to content

Commit

Permalink
(for 4.9.3) CVE-2018-14469/ISAKMP: Add a missing bounds check
Browse files Browse the repository at this point in the history 
In ikev1_n_print() check bounds before trying to fetch the replay detection
status.

This fixes a buffer over-read discovered by Bhargava Shastry.

Add a test using the capture file supplied by the reporter(s).
  • Loading branch information
@fxlb
fxlb committed Aug 18, 2019
1 parent c24922e commit 396e94f
Show file tree
Hide file tree
Showing 4 changed files with 10 additions and 0 deletions.
1 change: 1 addition & 0 deletions print-isakmp.c
View file
Expand Up @@ -1769,6 +1769,7 @@ ikev1_n_print(netdissect_options *ndo, u_char tpay _U_,
}
case IPSECDOI_NTYPE_REPLAY_STATUS:
ND_PRINT((ndo," status=("));
ND_TCHECK_32BITS(cp);
ND_PRINT((ndo,"replay detection %sabled",
EXTRACT_32BITS(cp) ? "en" : "dis"));
ND_PRINT((ndo,")"));
Expand Down
1 change: 1 addition & 0 deletions tests/TESTLIST
View file
Expand Up @@ -551,6 +551,7 @@ radius_attr_asan radius_attr_asan.pcap radius_attr_asan.out -v
ospf6_decode_v3_asan ospf6_decode_v3_asan.pcap ospf6_decode_v3_asan.out -v
ip_ts_opts_asan ip_ts_opts_asan.pcap ip_ts_opts_asan.out -v
isakmpv1-attr-oobr isakmpv1-attr-oobr.pcap isakmpv1-attr-oobr.out -v
isakmp-ikev1_n_print-oobr isakmp-ikev1_n_print-oobr.pcap isakmp-ikev1_n_print-oobr.out -v -c3
# The .pcap file is truncated after the 1st packet.
hncp_dhcpv6data-oobr hncp_dhcpv6data-oobr.pcap hncp_dhcpv6data-oobr.out -v -c1
hncp_dhcpv4data-oobr hncp_dhcpv4data-oobr.pcap hncp_dhcpv4data-oobr.out -v -c1
Expand Down
8 changes: 8 additions & 0 deletions tests/isakmp-ikev1_n_print-oobr.out
View file
@@ -0,0 +1,8 @@
IP (tos 0x12,ECT(0), ttl 17, id 47119, offset 0, flags [+, DF, rsvd], proto UDP (17), length 296, bad cksum 1ff (->327b)!)
80.236.128.20.500 > 12.251.0.45.49152: isakmp 2.12 msgid 10101010: child_sa ikev2_auth[V]:
(n: doi=0 proto=128 type=#24577) [|#126] (len mismatch: isakmp 4278190080/ip 268)
IP (tos 0x12,ECT(0), ttl 17, id 21263, offset 72, flags [+, DF, rsvd], proto unknown (40), length 296, bad cksum fbff (->9847)!)
80.0.128.20 > 12.251.0.45: ip-proto-40
IP (tos 0x15,ECT(1), ttl 17, id 21263, offset 0, flags [+, DF, rsvd], proto UDP (17), length 296, bad cksum 1ff (->9864)!)
80.0.128.20.500 > 12.251.0.45.49152: isakmp 2.12 msgid 1010100b: child_sa ikev2_auth[V]:
(n: doi=ipsec proto=#16 type=REPLAY-STATUS spi=04 status=( [|n]) (len mismatch: isakmp 620756992/ip 268)
Binary file added tests/isakmp-ikev1_n_print-oobr.pcap
View file
Binary file not shown.

0 comments on commit 396e94f

Please sign in to comment.