Permalink
Browse files

CVE-2017-13017/DHCPv6: Add a missing option length check.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
  • Loading branch information...
guyharris authored and infrastation committed Mar 22, 2017
1 parent c177cb3 commit 11b426ee05eb62ed103218526f1fa616851c43ce
Showing with 7 additions and 0 deletions.
  1. +4 −0 print-dhcp6.c
  2. +1 −0 tests/TESTLIST
  3. +2 −0 tests/dhcp6_reconf_asan.out
  4. BIN tests/dhcp6_reconf_asan.pcap
View
@@ -518,6 +518,10 @@ dhcp6opt_print(netdissect_options *ndo,
ND_PRINT((ndo, "...)"));
break;
case DH6OPT_RECONF_MSG:
if (optlen != 1) {
ND_PRINT((ndo, " ?)"));
break;
}
tp = (const u_char *)(dh6o + 1);
switch (*tp) {
case DH6_RENEW:
View
@@ -518,6 +518,7 @@ esis_snpa_asan-2 esis_snpa_asan-2.pcap esis_snpa_asan-2.out -v
esis_snpa_asan-3 esis_snpa_asan-3.pcap esis_snpa_asan-3.out -v
esis_snpa_asan-4 esis_snpa_asan-4.pcap esis_snpa_asan-4.out -v
esis_snpa_asan-5 esis_snpa_asan-5.pcap esis_snpa_asan-5.out -v
dhcp6_reconf_asan dhcp6_reconf_asan.pcap dhcp6_reconf_asan.out -v
# RTP tests
# fuzzed pcap
@@ -0,0 +1,2 @@
IP (tos 0x60, ttl 254, id 21519, offset 0, flags [+, DF, rsvd], proto UDP (17), length 768, options (EOL), bad cksum 9615 (->c6f)!)
251.73.86.150.514 > 126.172.217.192.546: dhcp6 relay-reply (linkaddr=300:10ed:ff:f01:f:0:7f:7f peeraddr=ffb6:3a64::c1:2300:581c:d00 (reconfigure-message ?) (reconfigure-message ?))
Binary file not shown.

0 comments on commit 11b426e

Please sign in to comment.