Skip to content
Permalink
Browse files

CVE-2017-13689/IKEv1: Fix addr+subnet length check.

An IPv6 address plus subnet mask is 32 bytes, not 20 bytes.
16 bytes of IPv6 address, 16 bytes of subnet mask.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s).
  • Loading branch information...
guyharris authored and infrastation committed Aug 24, 2017
1 parent 0cb1b8a commit 061e7371a944588f231cb1b66d6fb070b646e376
@@ -1435,8 +1435,8 @@ ikev1_id_print(netdissect_options *ndo, u_char tpay _U_,
case IPSECDOI_ID_IPV6_ADDR_SUBNET:
{
const u_char *mask;
if (len < 20)
ND_PRINT((ndo," len=%d [bad: < 20]", len));
if (len < 32)
ND_PRINT((ndo," len=%d [bad: < 32]", len));
else {
mask = (const u_char *)(data + sizeof(struct in6_addr));
/*XXX*/
@@ -577,6 +577,7 @@ cfm_sender_id-oobr cfm_sender_id-oobr.pcap cfm_sender_id-oobr.out -v -c1
isis-extd-isreach-oobr isis-extd-isreach-oobr.pcap isis-extd-isreach-oobr.out -v -c4
olsr-oobr-1 olsr-oobr-1.pcap olsr-oobr-1.out -v
olsr-oobr-2 olsr-oobr-2.pcap olsr-oobr-2.out -v
ikev1_id_ipv6_addr_subnet-oobr ikev1_id_ipv6_addr_subnet-oobr.pcap ikev1_id_ipv6_addr_subnet-oobr.out -v

# bad packets from Katie Holly
mlppp-oobr mlppp-oobr.pcap mlppp-oobr.out
@@ -0,0 +1,3 @@
IP (tos 0x0, ttl 100, id 40207, offset 0, flags [+, DF, rsvd], proto UDP (17), length 32808, bad cksum 8e7f (->bc78)!)
16.0.128.20.500 > 12.251.0.45.0: isakmp 1.0 msgid 0d101010: phase 2/others ? #16[]:
(id: idtype=IPv6net protoid=16 port=4112 len=24 [bad: < 32]) [|#145] (len mismatch: isakmp 4278190080/ip 4856)
Binary file not shown.

0 comments on commit 061e737

Please sign in to comment.
You can’t perform that action at this time.