Skip to content

Commit 11b426e

Browse files
guyharrisinfrastation
authored andcommitted
CVE-2017-13017/DHCPv6: Add a missing option length check.
This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s), modified so the capture file won't be rejected as an invalid capture.
1 parent c177cb3 commit 11b426e

File tree

4 files changed

+7
-0
lines changed

4 files changed

+7
-0
lines changed

Diff for: print-dhcp6.c

+4
Original file line numberDiff line numberDiff line change
@@ -518,6 +518,10 @@ dhcp6opt_print(netdissect_options *ndo,
518518
ND_PRINT((ndo, "...)"));
519519
break;
520520
case DH6OPT_RECONF_MSG:
521+
if (optlen != 1) {
522+
ND_PRINT((ndo, " ?)"));
523+
break;
524+
}
521525
tp = (const u_char *)(dh6o + 1);
522526
switch (*tp) {
523527
case DH6_RENEW:

Diff for: tests/TESTLIST

+1
Original file line numberDiff line numberDiff line change
@@ -518,6 +518,7 @@ esis_snpa_asan-2 esis_snpa_asan-2.pcap esis_snpa_asan-2.out -v
518518
esis_snpa_asan-3 esis_snpa_asan-3.pcap esis_snpa_asan-3.out -v
519519
esis_snpa_asan-4 esis_snpa_asan-4.pcap esis_snpa_asan-4.out -v
520520
esis_snpa_asan-5 esis_snpa_asan-5.pcap esis_snpa_asan-5.out -v
521+
dhcp6_reconf_asan dhcp6_reconf_asan.pcap dhcp6_reconf_asan.out -v
521522

522523
# RTP tests
523524
# fuzzed pcap

Diff for: tests/dhcp6_reconf_asan.out

+2
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
IP (tos 0x60, ttl 254, id 21519, offset 0, flags [+, DF, rsvd], proto UDP (17), length 768, options (EOL), bad cksum 9615 (->c6f)!)
2+
251.73.86.150.514 > 126.172.217.192.546: dhcp6 relay-reply (linkaddr=300:10ed:ff:f01:f:0:7f:7f peeraddr=ffb6:3a64::c1:2300:581c:d00 (reconfigure-message ?) (reconfigure-message ?))

Diff for: tests/dhcp6_reconf_asan.pcap

132 Bytes
Binary file not shown.

0 commit comments

Comments
 (0)