CVE-2017-13689/IKEv1: Fix addr+subnet length check.

An IPv6 address plus subnet mask is 32 bytes, not 20 bytes. 16 bytes of IPv6 address, 16 bytes of subnet mask. This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s).
the-tcpdump-group · Sep 13, 2017 · 061e737 · 061e737
1 parent 0cb1b8a
commit 061e737
Show file tree

Hide file tree

Showing 4 changed files with 6 additions and 2 deletions.
diff --git a/print-isakmp.c b/print-isakmp.c
@@ -1435,8 +1435,8 @@ ikev1_id_print(netdissect_options *ndo, u_char tpay _U_,
 		case IPSECDOI_ID_IPV6_ADDR_SUBNET:
 		    {
 			const u_char *mask;
-			if (len < 20)
-				ND_PRINT((ndo," len=%d [bad: < 20]", len));
+			if (len < 32)
+				ND_PRINT((ndo," len=%d [bad: < 32]", len));
 			else {
 				mask = (const u_char *)(data + sizeof(struct in6_addr));
 				/*XXX*/

diff --git a/tests/TESTLIST b/tests/TESTLIST
@@ -577,6 +577,7 @@ cfm_sender_id-oobr	cfm_sender_id-oobr.pcap	cfm_sender_id-oobr.out	-v -c1
 isis-extd-isreach-oobr	isis-extd-isreach-oobr.pcap	isis-extd-isreach-oobr.out -v -c4
 olsr-oobr-1		olsr-oobr-1.pcap		olsr-oobr-1.out	-v
 olsr-oobr-2		olsr-oobr-2.pcap		olsr-oobr-2.out	-v
+ikev1_id_ipv6_addr_subnet-oobr	ikev1_id_ipv6_addr_subnet-oobr.pcap	ikev1_id_ipv6_addr_subnet-oobr.out	-v
 
 # bad packets from Katie Holly
 mlppp-oobr		mlppp-oobr.pcap			mlppp-oobr.out

diff --git a/tests/ikev1_id_ipv6_addr_subnet-oobr.out b/tests/ikev1_id_ipv6_addr_subnet-oobr.out
@@ -0,0 +1,3 @@
+IP (tos 0x0, ttl 100, id 40207, offset 0, flags [+, DF, rsvd], proto UDP (17), length 32808, bad cksum 8e7f (->bc78)!)
+    16.0.128.20.500 > 12.251.0.45.0: isakmp 1.0 msgid 0d101010: phase 2/others ? #16[]:
+    (id: idtype=IPv6net protoid=16 port=4112 len=24 [bad: < 32]) [|#145] (len mismatch: isakmp 4278190080/ip 4856)
diff --git a/tests/ikev1_id_ipv6_addr_subnet-oobr.pcap b/tests/ikev1_id_ipv6_addr_subnet-oobr.pcap