CVE-2017-13017/DHCPv6: Add a missing option length check.

This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s), modified so the capture file won't be rejected as an invalid capture.
the-tcpdump-group · Sep 13, 2017 · 11b426e · 11b426e
1 parent c177cb3
commit 11b426e
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 0 deletions.
diff --git a/print-dhcp6.c b/print-dhcp6.c
@@ -518,6 +518,10 @@ dhcp6opt_print(netdissect_options *ndo,
 			ND_PRINT((ndo, "...)"));
 			break;
 		case DH6OPT_RECONF_MSG:
+			if (optlen != 1) {
+				ND_PRINT((ndo, " ?)"));
+				break;
+			}
 			tp = (const u_char *)(dh6o + 1);
 			switch (*tp) {
 			case DH6_RENEW:

diff --git a/tests/TESTLIST b/tests/TESTLIST
@@ -518,6 +518,7 @@ esis_snpa_asan-2	esis_snpa_asan-2.pcap		esis_snpa_asan-2.out	-v
 esis_snpa_asan-3	esis_snpa_asan-3.pcap		esis_snpa_asan-3.out	-v
 esis_snpa_asan-4	esis_snpa_asan-4.pcap		esis_snpa_asan-4.out	-v
 esis_snpa_asan-5	esis_snpa_asan-5.pcap		esis_snpa_asan-5.out	-v
+dhcp6_reconf_asan	dhcp6_reconf_asan.pcap		dhcp6_reconf_asan.out	-v
 
 # RTP tests
 # fuzzed pcap

diff --git a/tests/dhcp6_reconf_asan.out b/tests/dhcp6_reconf_asan.out
@@ -0,0 +1,2 @@
+IP (tos 0x60, ttl 254, id 21519, offset 0, flags [+, DF, rsvd], proto UDP (17), length 768, options (EOL), bad cksum 9615 (->c6f)!)
+    251.73.86.150.514 > 126.172.217.192.546: dhcp6 relay-reply (linkaddr=300:10ed:ff:f01:f:0:7f:7f peeraddr=ffb6:3a64::c1:2300:581c:d00 (reconfigure-message ?) (reconfigure-message ?))
diff --git a/tests/dhcp6_reconf_asan.pcap b/tests/dhcp6_reconf_asan.pcap