(for 4.9.3) CVE-2018-16227/IEEE 802.11: add a missing bounds check

ieee802_11_print() tried to access the Mesh Flags subfield of the Mesh Control field to find the size of the latter and increment the expected 802.11 header length before checking it is fully present in the input buffer. Add an intermediate bounds check to make it safe. This fixes a buffer over-read discovered by Ryan Ackroyd. Add a test using the capture file supplied by the reporter(s).
the-tcpdump-group · Aug 27, 2019 · 4846b3c · 4846b3c
1 parent 83a412a
commit 4846b3c
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 0 deletions.
diff --git a/print-802_11.c b/print-802_11.c
@@ -2058,6 +2058,10 @@ ieee802_11_print(netdissect_options *ndo,
 		hdrlen = roundup2(hdrlen, 4);
 	if (ndo->ndo_Hflag && FC_TYPE(fc) == T_DATA &&
 	    DATA_FRAME_IS_QOS(FC_SUBTYPE(fc))) {
+		if (caplen < hdrlen + 1) {
+			ND_PRINT((ndo, "%s", tstr));
+			return hdrlen;
+		}
 		meshdrlen = extract_mesh_header_length(p+hdrlen);
 		hdrlen += meshdrlen;
 	} else

diff --git a/tests/TESTLIST b/tests/TESTLIST
@@ -602,6 +602,9 @@ ospf6_print_lshdr-oobr	ospf6_print_lshdr-oobr.pcapng	ospf6_print_lshdr-oobr.out
 rpl-dao-oobr		rpl-dao-oobr.pcapng		rpl-dao-oobr.out		-vv -c1
 hncp_prefix-oobr	hncp_prefix-oobr.pcapng		hncp_prefix-oobr.out		-vvv
 
+# bad packets from Ryan Ackroyd
+ieee802.11_meshhdr-oobr	ieee802.11_meshhdr-oobr.pcap	ieee802.11_meshhdr-oobr.out	-H -c1
+
 # RTP tests
 # fuzzed pcap
 rtp-seg-fault-1  rtp-seg-fault-1.pcap  rtp-seg-fault-1.out  -v -T rtp

diff --git a/tests/ieee802.11_meshhdr-oobr.out b/tests/ieee802.11_meshhdr-oobr.out
@@ -0,0 +1 @@
+3472328296059908144us tsft 24.0 Mb/s 12334 MHz Turbo 48dBm noise [|802.11][|802.11]
diff --git a/tests/ieee802.11_meshhdr-oobr.pcap b/tests/ieee802.11_meshhdr-oobr.pcap