Skip to content

Commit 0318fa8

Browse files
guyharrisinfrastation
authored andcommitted
CVE-2017-12900/Properly terminate all struct tok arrays.
This fixes a buffer over-read discovered by Forcepoint's security researchers Otto Airamo & Antti Levomäki. Add tests using the capture files supplied by the reporter(s).
1 parent 2b62d1d commit 0318fa8

9 files changed

+87
-1
lines changed

Diff for: print-bgp.c

+1
Original file line numberDiff line numberDiff line change
@@ -900,6 +900,7 @@ static const struct tok bgp_multicast_vpn_route_type_values[] = {
900900
{ BGP_MULTICAST_VPN_ROUTE_TYPE_SOURCE_ACTIVE, "Source-Active"},
901901
{ BGP_MULTICAST_VPN_ROUTE_TYPE_SHARED_TREE_JOIN, "Shared Tree Join"},
902902
{ BGP_MULTICAST_VPN_ROUTE_TYPE_SOURCE_TREE_JOIN, "Source Tree Join"},
903+
{ 0, NULL}
903904
};
904905

905906
static int

Diff for: print-lldp.c

+1
Original file line numberDiff line numberDiff line change
@@ -590,6 +590,7 @@ static const struct tok lldp_evb_mode_values[]={
590590
{ LLDP_EVB_MODE_EVB_BRIDGE, "EVB Bridge"},
591591
{ LLDP_EVB_MODE_EVB_STATION, "EVB Staion"},
592592
{ LLDP_EVB_MODE_RESERVED, "Reserved for future Standardization"},
593+
{ 0, NULL},
593594
};
594595

595596
#define NO_OF_BITS 8

Diff for: print-lspping.c

+1
Original file line numberDiff line numberDiff line change
@@ -104,6 +104,7 @@ static const struct tok lspping_return_code_values[] = {
104104
{ 11, "No label entry at stack-depth"},
105105
{ 12, "Protocol not associated with interface at FEC stack depth"},
106106
{ 13, "Premature termination of ping due to label stack shrinking to a single label"},
107+
{ 0, NULL},
107108
};
108109

109110

Diff for: print-zephyr.c

+2-1
Original file line numberDiff line numberDiff line change
@@ -76,7 +76,8 @@ static const struct tok z_types[] = {
7676
{ Z_PACKET_SERVACK, "serv-ack" },
7777
{ Z_PACKET_SERVNAK, "serv-nak" },
7878
{ Z_PACKET_CLIENTACK, "client-ack" },
79-
{ Z_PACKET_STAT, "stat" }
79+
{ Z_PACKET_STAT, "stat" },
80+
{ 0, NULL }
8081
};
8182

8283
static char z_buf[256];

Diff for: tests/TESTLIST

+2
Original file line numberDiff line numberDiff line change
@@ -456,6 +456,8 @@ icmp-cksum-oobr-1 icmp-cksum-oobr-1.pcap icmp-cksum-oobr-1.out -vvv -e
456456
icmp-cksum-oobr-2 icmp-cksum-oobr-2.pcap icmp-cksum-oobr-2.out -vvv -e
457457
icmp-cksum-oobr-3 icmp-cksum-oobr-3.pcap icmp-cksum-oobr-3.out -vvv -e
458458
icmp-cksum-oobr-4 icmp-cksum-oobr-4.pcap icmp-cksum-oobr-4.out -vvv -e
459+
tok2str-oobr-1 tok2str-oobr-1.pcap tok2str-oobr-1.out -vvv -e
460+
tok2str-oobr-2 tok2str-oobr-2.pcap tok2str-oobr-2.out -vvv -e
459461

460462
# RTP tests
461463
# fuzzed pcap

Diff for: tests/tok2str-oobr-1.out

+61
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,61 @@
1+
00:0c:29:31:85:a5 > 00:0c:29:ac:b9:50, ethertype IPv4 (0x0800), length 321: (tos 0xc0, ttl 254, id 20061, offset 0, flags [none], proto TCP (6), length 307)
2+
10.0.0.4.179 > 10.0.0.2.64588: Flags [P.], cksum 0x707c (incorrect -> 0x6883), seq 786752827:786753082, ack 3829861902, win 16357, options [nop,nop,TS val 6993003 ecr 4502201], length 255: BGP
3+
Update Message (2), length: 100
4+
Origin (1), length: 1, Flags [T]: IGP
5+
0x0000: 00
6+
AS Path (2), length: 0, Flags [T]: empty
7+
Local Preference (5), length: 4, Flags [T]: 100
8+
0x0000: 0000 0064
9+
Extended Community (16), length: 24, Flags [OT]:
10+
target (0x0002), Flags [none]: 1:1 (= 0.0.0.1)
11+
source-AS (0x0009), Flags [none]: AS 1
12+
unknown extd community typecode (0x010a), Flags [none]
13+
0x0000: 010a 0a00 0004 0006
14+
0x0000: 0002 0001 0000 0001 0009 0001 0000 0000
15+
0x0010: 010a 0a00 0004 0006
16+
Multi-Protocol Reach NLRI (14), length: 32, Flags [OE]:
17+
AFI: IPv4 (1), SAFI: labeled VPN Unicast (128)
18+
nexthop: RD: 0:0 (= 0.0.0.0), 10.0.0.4, nh-length: 12, no SNPA
19+
RD: 1:1 (= 0.0.0.1), 172.16.4.0/24, label:16 (bottom)
20+
0x0000: 0001 800c 0000 0000 0000 0000 0a00 0004
21+
0x0010: 0070 0001 0100 0000 0100 0000 01ac 1004
22+
Update Message (2), length: 95
23+
Origin (1), length: 1, Flags [T]: IGP
24+
0x0000: 00
25+
AS Path (2), length: 0, Flags [T]: empty
26+
Local Preference (5), length: 4, Flags [T]: 100
27+
0x0000: 0000 0064
28+
Extended Community (16), length: 8, Flags [OT]:
29+
target (0x0002), Flags [none]: 1:1 (= 0.0.0.1)
30+
0x0000: 0002 0001 0000 0001
31+
PMSI Tunnel (22), length: 17, Flags [OT]:
32+
Tunnel-type RSVP-TE P2MP LSP (1), Flags [none], MPLS Label 0
33+
Extended-Tunnel-ID 10.0.0.4, P2MP-ID 0x00008173
34+
0x0000: 0001 0000 000a 0000 0400 0081 730a 0000
35+
0x0010: 04
36+
Multi-Protocol Reach NLRI (14), length: 23, Flags [OE]:
37+
AFI: IPv4 (1), SAFI: Multicast VPN (5)
38+
nexthop: 10.0.0.4, nh-length: 4
39+
8 SNPA
40+
1 bytes
41+
0 bytes
42+
0 bytes
43+
0 bytes
44+
1 bytes
45+
0 bytes
46+
0 bytes
47+
1 bytes
48+
Route-Type: Unknown (0), length: 0
49+
Route-Type: Intra-AS Segment-Leaf (4), length: 255
50+
0x0000: 0001 0504 0a00 0004 0801 0c00 0000 0100
51+
0x0010: 0000 010a 0000 04
52+
Update Message (2), length: 30
53+
Multi-Protocol Unreach NLRI (15), length: 3, Flags [OE]:
54+
AFI: IPv4 (1), SAFI: labeled VPN Unicast (128)
55+
End-of-Rib Marker (empty NLRI)
56+
0x0000: 0001 80
57+
Update Message (2), length: 30
58+
Withdrawn routes: 1 bytes
59+
Unknown Attribute (0), length: 3, Flags [+f]:
60+
no Attribute 0 decoder
61+
0x0000: 0001 05[|BGP]

Diff for: tests/tok2str-oobr-1.pcap

361 Bytes
Binary file not shown.

Diff for: tests/tok2str-oobr-2.out

+19
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
01:01:01:01:01:01 > 02:02:02:02:02:02, ethertype MPLS unicast (0x8847), length 130: MPLS (label 16006, exp 0, [S], ttl 255)
2+
(tos 0x0, ttl 1, id 32770, offset 0, flags [DF, rsvd], proto UDP (17), length 112, options (RA), bad cksum a4cc (->a4cb)!)
3+
192.168.0.1.3503 > 127.0.0.1.3503: [bad udp cksum 0x8397 -> 0x3f6d!]
4+
LSP-PINGv1, msg-type: MPLS Echo Request (1), length: 80
5+
reply-mode: Reply via an IPv4/IPv6 UDP packet (2)
6+
Return Code: unknown (65)
7+
Return Subcode: (0)
8+
Sender Handle: 0x00000023, Sequence: 1
9+
Sender Timestamp: Receiver Timestamp: no timestamp
10+
Target FEC Stack TLV (1), length: 24
11+
Unknown subTLV (17), length: 20
12+
0x0000: 0000 0001 0000 0001 c0a8 0001 c0a8 0001
13+
0x0010: 0000 2712
14+
0x0000: 0011 0014 0000 0001 0000 0001 c0a8 0001
15+
0x0010: c0a8 0001 0000 2712
16+
Unknown TLV (268), length: 4
17+
0x0000: 0008 00c8
18+
Unknown TLV (523), length: 8
19+
0x0000: 0003 0004 c0a8 0104

Diff for: tests/tok2str-oobr-2.pcap

170 Bytes
Binary file not shown.

0 commit comments

Comments
 (0)