Skip to content

Commit 061e737

Browse files
guyharrisinfrastation
authored andcommitted
CVE-2017-13689/IKEv1: Fix addr+subnet length check.
An IPv6 address plus subnet mask is 32 bytes, not 20 bytes. 16 bytes of IPv6 address, 16 bytes of subnet mask. This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s).
1 parent 0cb1b8a commit 061e737

4 files changed

+6
-2
lines changed

Diff for: print-isakmp.c

+2-2
Original file line numberDiff line numberDiff line change
@@ -1435,8 +1435,8 @@ ikev1_id_print(netdissect_options *ndo, u_char tpay _U_,
14351435
case IPSECDOI_ID_IPV6_ADDR_SUBNET:
14361436
{
14371437
const u_char *mask;
1438-
if (len < 20)
1439-
ND_PRINT((ndo," len=%d [bad: < 20]", len));
1438+
if (len < 32)
1439+
ND_PRINT((ndo," len=%d [bad: < 32]", len));
14401440
else {
14411441
mask = (const u_char *)(data + sizeof(struct in6_addr));
14421442
/*XXX*/

Diff for: tests/TESTLIST

+1
Original file line numberDiff line numberDiff line change
@@ -577,6 +577,7 @@ cfm_sender_id-oobr cfm_sender_id-oobr.pcap cfm_sender_id-oobr.out -v -c1
577577
isis-extd-isreach-oobr isis-extd-isreach-oobr.pcap isis-extd-isreach-oobr.out -v -c4
578578
olsr-oobr-1 olsr-oobr-1.pcap olsr-oobr-1.out -v
579579
olsr-oobr-2 olsr-oobr-2.pcap olsr-oobr-2.out -v
580+
ikev1_id_ipv6_addr_subnet-oobr ikev1_id_ipv6_addr_subnet-oobr.pcap ikev1_id_ipv6_addr_subnet-oobr.out -v
580581

581582
# bad packets from Katie Holly
582583
mlppp-oobr mlppp-oobr.pcap mlppp-oobr.out

Diff for: tests/ikev1_id_ipv6_addr_subnet-oobr.out

+3
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
IP (tos 0x0, ttl 100, id 40207, offset 0, flags [+, DF, rsvd], proto UDP (17), length 32808, bad cksum 8e7f (->bc78)!)
2+
16.0.128.20.500 > 12.251.0.45.0: isakmp 1.0 msgid 0d101010: phase 2/others ? #16[]:
3+
(id: idtype=IPv6net protoid=16 port=4112 len=24 [bad: < 32]) [|#145] (len mismatch: isakmp 4278190080/ip 4856)

Diff for: tests/ikev1_id_ipv6_addr_subnet-oobr.pcap

147 Bytes
Binary file not shown.

0 commit comments

Comments
 (0)