(for 4.9.3) CVE-2018-14880/OSPFv3: Fix a bounds check

Need to test bounds check for the last field of the structure lsa6_hdr. No need to test other fields. Include Security working under the Mozilla SOS program had independently identified this vulnerability in 2018 by means of code audit. Wang Junjie of 360 ESG Codesafe Team had independently identified this vulnerability in 2018 by means of fuzzing and provided the packet capture file for the test.
the-tcpdump-group · Aug 27, 2019 · e01c9bf · e01c9bf
1 parent 5e0aca0
commit e01c9bf
Show file tree

Hide file tree

Showing 4 changed files with 63 additions and 2 deletions.
diff --git a/print-ospf6.c b/print-ospf6.c
@@ -389,8 +389,7 @@ ospf6_print_lshdr(netdissect_options *ndo,
 {
 	if ((const u_char *)(lshp + 1) > dataend)
 		goto trunc;
-	ND_TCHECK(lshp->ls_type);
-	ND_TCHECK(lshp->ls_seq);
+	ND_TCHECK(lshp->ls_length);	/* last field of struct lsa6_hdr */
 
 	ND_PRINT((ndo, "\n\t  Advertising Router %s, seq 0x%08x, age %us, length %u",
                ipaddr_string(ndo, &lshp->ls_router),

diff --git a/tests/TESTLIST b/tests/TESTLIST
@@ -596,6 +596,9 @@ icmp6_nodeinfo_oobr	icmp6_nodeinfo_oobr.pcap	icmp6_nodeinfo_oobr.out
 rx_ubik-oobr		rx_ubik-oobr.pcap		rx_ubik-oobr.out -c1
 babel_update_oobr	babel_update_oobr.pcap	babel_update_oobr.out	-c 52
 
+# bad packets from Junjie Wang
+ospf6_print_lshdr-oobr	ospf6_print_lshdr-oobr.pcapng	ospf6_print_lshdr-oobr.out	-vv -c15
+
 # RTP tests
 # fuzzed pcap
 rtp-seg-fault-1  rtp-seg-fault-1.pcap  rtp-seg-fault-1.out  -v -T rtp

diff --git a/tests/ospf6_print_lshdr-oobr.out b/tests/ospf6_print_lshdr-oobr.out
@@ -0,0 +1,59 @@
+IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 36) fe80::1 > ff02::5: OSPFv3, Hello, length 36
+	Router-ID 1.1.1.1, Area 0.0.0.1
+	Options [V6, External, Router]
+	  Hello Timer 10s, Dead Timer 40s, Interface-ID 0.0.0.5, Priority 1
+	  Neighbor List:
+IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 36) fe80::1 > ff02::5: OSPFv3, Hello, length 36
+	Router-ID 1.1.1.1, Area 0.0.0.1
+	Options [V6, External, Router]
+	  Hello Timer 10s, Dead Timer 40s, Interface-ID 0.0.0.5, Priority 1
+	  Neighbor List:
+IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 36) fe80::1 > ff02::5: OSPFv3, Hello, length 36
+	Router-ID 1.1.1.1, Area 0.0.0.1
+	Options [V6, External, Router]
+	  Hello Timer 10s, Dead Timer 40s, Interface-ID 0.0.0.5, Priority 1
+	  Neighbor List:
+IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 36) fe80::1 > ff02::5: OSPFv3, Hello, length 36
+	Router-ID 1.1.1.1, Area 0.0.0.1
+	Options [V6, External, Router]
+	  Hello Timer 10s, Dead Timer 40s, Interface-ID 0.0.0.5, Priority 1
+	  Neighbor List:
+IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 36) fe80::2 > ff02::5: OSPFv3, Hello, length 36
+	Router-ID 2.2.2.2, Area 0.0.0.1
+	Options [V6, External, Router]
+	  Hello Timer 10s, Dead Timer 40s, Interface-ID 0.0.0.5, Priority 1
+	  Neighbor List:
+IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 40) fe80::1 > ff02::5: OSPFv3, Hello, length 40
+	Router-ID 1.1.1.1, Area 0.0.0.1
+	Options [V6, External, Router]
+	  Hello Timer 10s, Dead Timer 40s, Interface-ID 0.0.0.5, Priority 1
+	  Designated Router 1.1.1.1
+	  Neighbor List: [|ospf3]
+IP6 (class 0xe0, flowlabel 0x00100, hlim 1, next-header OSPF (89) payload length: 28) fe80::2 > fe80::1: OSPFv3, Database Description, length 28
+	Router-ID 2.2.2.2, Area 0.0.0.1
+	Options [V6, External, Router], DD Flags [Init, More, Master], MTU 1500, DD-Sequence 0x00001d46
+IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 28) fe80::1 > fe80::2: OSPFv3, Database Description, length 28
+	Router-ID 1.1.1.1, Area 0.0.0.1
+	Options [V6, External, Router], DD Flags [Init, More, Master], MTU 1500, DD-Sequence 0x0000242c
+IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 168) fe80::1 > fe80::2: OSPFv3, Database Description, length 168
+	Router-ID 1.1.1.1, Area 0.0.0.1
+	Options [V6, External, Router], DD Flags [More], MTU 1500, DD-Sequence 0x00001d46 [|ospf3]
+IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 148) fe80::2 > fe80::1: OSPFv3, Database Description, length 148
+	Router-ID 2.2.2.2, Area 0.0.0.1
+	Options [V6, External, Router], DD Flags [More, Master], MTU 1500, DD-Sequence 0x00001d47 [|ospf3]
+IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 28) fe80::1 > fe80::2: OSPFv3, Database Description, length 28
+	Router-ID 1.1.1.1, Area 0.0.0.1
+	Options [V6, External, Router], DD Flags [none], MTU 1500, DD-Sequence 0x00001d47
+IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 100) fe80::2 > fe80::1: OSPFv3, LS-Request, length 100
+	Router-ID 2.2.2.2, Area 0.0.0.1
+	  Advertising Router 1.1.1.1
+	    Router LSA (1), Area Local Scope, LSA-ID 0.0.0.0 [|ospf3]
+IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 88) fe80::1 > fe80::2: OSPFv3, LS-Request, length 88
+	Router-ID 1.1.1.1, Area 0.0.0.1
+	  Advertising Router 2.2.2.2
+	    Router LSA (1), Area Local Scope, LSA-ID 0.0.0.0 [|ospf3]
+IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 28) fe80::2 > fe80::1: OSPFv3, Database Description, length 28
+	Router-ID 2.2.2.2, Area 0.0.0.1
+	Options [V6, External, Router], DD Flags [Master], MTU 1500, DD-Sequence 0x00001d48
+IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 288) fe80::1 > fe80:0:ff:ffff:f000::2: OSPFv3, LS-Update, length 288
+	Router-ID 1.1.1.1, Area 0.0.0.1 [|ospf3]
diff --git a/tests/ospf6_print_lshdr-oobr.pcapng b/tests/ospf6_print_lshdr-oobr.pcapng