Skip to content

Commit 0cb1b8a

Browse files
guyharrisinfrastation
authored andcommitted
CVE-2017-13688/OLSR: Do bounds checks before we fetch data.
While we're at it, clean up some other bounds checks, so we check that we have a complete IPv4 message header if it's IPv4 and a complete IPv6 message header if it's IPv6. This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add tests using the capture files supplied by the reporter(s).
1 parent 26b9567 commit 0cb1b8a

File tree

6 files changed

+33
-9
lines changed

6 files changed

+33
-9
lines changed

Diff for: print-olsr.c

+12-9
Original file line numberDiff line numberDiff line change
@@ -359,10 +359,9 @@ olsr_print(netdissect_options *ndo,
359359
} msgptr;
360360
int msg_len_valid = 0;
361361

362-
ND_TCHECK2(*tptr, sizeof(struct olsr_msg4));
363-
364362
if (is_ipv6)
365363
{
364+
ND_TCHECK2(*tptr, sizeof(struct olsr_msg6));
366365
msgptr.v6 = (const struct olsr_msg6 *) tptr;
367366
msg_type = msgptr.v6->msg_type;
368367
msg_len = EXTRACT_16BITS(msgptr.v6->msg_len);
@@ -393,6 +392,7 @@ olsr_print(netdissect_options *ndo,
393392
}
394393
else /* (!is_ipv6) */
395394
{
395+
ND_TCHECK2(*tptr, sizeof(struct olsr_msg4));
396396
msgptr.v4 = (const struct olsr_msg4 *) tptr;
397397
msg_type = msgptr.v4->msg_type;
398398
msg_len = EXTRACT_16BITS(msgptr.v4->msg_len);
@@ -616,22 +616,25 @@ olsr_print(netdissect_options *ndo,
616616

617617
case OLSR_NAMESERVICE_MSG:
618618
{
619-
u_int name_entries = EXTRACT_16BITS(msg_data+2);
620-
u_int addr_size = 4;
621-
int name_entries_valid = 0;
619+
u_int name_entries;
620+
u_int addr_size;
621+
int name_entries_valid;
622622
u_int i;
623623

624+
if (msg_tlen < 4)
625+
goto trunc;
626+
ND_TCHECK2(*msg_data, 4);
627+
628+
name_entries = EXTRACT_16BITS(msg_data+2);
629+
addr_size = 4;
624630
if (is_ipv6)
625631
addr_size = 16;
626632

633+
name_entries_valid = 0;
627634
if ((name_entries > 0)
628635
&& ((name_entries * (4 + addr_size)) <= msg_tlen))
629636
name_entries_valid = 1;
630637

631-
if (msg_tlen < 4)
632-
goto trunc;
633-
ND_TCHECK2(*msg_data, 4);
634-
635638
ND_PRINT((ndo, "\n\t Version %u, Entries %u%s",
636639
EXTRACT_16BITS(msg_data),
637640
name_entries, (name_entries_valid == 0) ? " (invalid)" : ""));

Diff for: tests/TESTLIST

+2
Original file line numberDiff line numberDiff line change
@@ -575,6 +575,8 @@ lldp_8023_mtu-oobr lldp_8023_mtu-oobr.pcap lldp_8023_mtu-oobr.out -v -c1
575575
bgp_vpn_rt-oobr bgp_vpn_rt-oobr.pcap bgp_vpn_rt-oobr.out -v -c1
576576
cfm_sender_id-oobr cfm_sender_id-oobr.pcap cfm_sender_id-oobr.out -v -c1
577577
isis-extd-isreach-oobr isis-extd-isreach-oobr.pcap isis-extd-isreach-oobr.out -v -c4
578+
olsr-oobr-1 olsr-oobr-1.pcap olsr-oobr-1.out -v
579+
olsr-oobr-2 olsr-oobr-2.pcap olsr-oobr-2.out -v
578580

579581
# bad packets from Katie Holly
580582
mlppp-oobr mlppp-oobr.pcap mlppp-oobr.out

Diff for: tests/olsr-oobr-1.out

+16
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
IP truncated-ip - 2315 bytes missing! (tos 0x0, ttl 18, id 4111, offset 0, flags [+, DF, rsvd], proto UDP (17), length 5373, bad cksum 8e7f (->9764)!)
2+
15.251.128.192.698 > 193.192.186.0.122: OLSRv4, seq 0x0800, length 2056
3+
Nameservice Message (0x82), originator 126.198.193.192, ttl 26, hop 145
4+
vtime 0.062s, msg-seq 0x0008, length 127[|olsr]
5+
IP truncated-ip - 2315 bytes missing! (tos 0x0, ttl 18, id 4111, offset 0, flags [+, DF, rsvd], proto UDP (17), length 5373, bad cksum 8e7f (->975f)!)
6+
16.0.128.192.698 > 193.192.186.0.122: OLSRv4, seq 0x0400, length 512
7+
Powerinfo Message (0x80), originator 0.1.0.0, ttl 255, hop 255
8+
vtime 0.500s, msg-seq 0x0000, length 9216 (invalid)
9+
IP truncated-ip - 2315 bytes missing! (tos 0x0, ttl 18, id 4111, offset 0, flags [+, DF, rsvd], proto UDP (17), length 5373, bad cksum 8e7f (->9764)!)
10+
15.251.128.192.698 > 193.192.186.0.122: OLSRv4, seq 0x0800, length 2056
11+
Nameservice Message (0x82), originator 126.198.193.192, ttl 26, hop 145
12+
vtime 0.062s, msg-seq 0x0008, length 100[|olsr]
13+
IP truncated-ip - 2315 bytes missing! (tos 0x0, ttl 18, id 4111, offset 0, flags [+, DF, rsvd], proto UDP (17), length 5373, bad cksum 8e7f (->975f)!)
14+
16.0.128.192.698 > 193.192.186.0.122: OLSRv4, seq 0x0800, length 2056
15+
Nameservice Message (0x82), originator 126.198.193.192, ttl 26, hop 145
16+
vtime 0.062s, msg-seq 0x5c50, length 185[|olsr]

Diff for: tests/olsr-oobr-1.pcap

332 Bytes
Binary file not shown.

Diff for: tests/olsr-oobr-2.out

+3
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
[|ether]
2+
[|ether]
3+
IP6 (flowlabel 0x06400, hlim 0, next-header UDP (17) payload length: 5401) 0:24::1e:a0a:141e.698 > 38fd:7f49:eaff:ffff:2025:7373:7562:2573.2: OLSRv6, seq 0x0201, length 5393[|olsr]

Diff for: tests/olsr-oobr-2.pcap

152 Bytes
Binary file not shown.

0 commit comments

Comments
 (0)