Skip to content
Permalink
Browse files Browse the repository at this point in the history
(for 4.9.3) CVE-2018-14462/ICMP: Add a missing bounds check
In icmp_print().

This fixes a buffer over-read discovered by Bhargava Shastry.

Add two tests using the capture files supplied by the reporter(s).
  • Loading branch information
fxlb committed Aug 18, 2019
1 parent e5ec0d6 commit 1a1bce0
Show file tree
Hide file tree
Showing 6 changed files with 15 additions and 0 deletions.
1 change: 1 addition & 0 deletions print-icmp.c
Expand Up @@ -564,6 +564,7 @@ icmp_print(netdissect_options *ndo, const u_char *bp, u_int plen, const u_char *
vec[0].len = plen;
sum = in_cksum(vec, 1);
if (sum != 0) {
ND_TCHECK_16BITS(&dp->icmp_cksum);
uint16_t icmp_sum = EXTRACT_16BITS(&dp->icmp_cksum);
ND_PRINT((ndo, " (wrong icmp cksum %x (->%x)!)",
icmp_sum,
Expand Down
2 changes: 2 additions & 0 deletions tests/TESTLIST
Expand Up @@ -553,6 +553,8 @@ ip_ts_opts_asan ip_ts_opts_asan.pcap ip_ts_opts_asan.out -v
isakmpv1-attr-oobr isakmpv1-attr-oobr.pcap isakmpv1-attr-oobr.out -v
isakmp-ikev1_n_print-oobr isakmp-ikev1_n_print-oobr.pcap isakmp-ikev1_n_print-oobr.out -v -c3
ldp-ldp_tlv_print-oobr ldp-ldp_tlv_print-oobr.pcap ldp-ldp_tlv_print-oobr.out -v -c1
icmp-icmp_print-oobr-1 icmp-icmp_print-oobr-1.pcap icmp-icmp_print-oobr-1.out -v -c3
icmp-icmp_print-oobr-2 icmp-icmp_print-oobr-2.pcap icmp-icmp_print-oobr-2.out -v -c3
# The .pcap file is truncated after the 1st packet.
hncp_dhcpv6data-oobr hncp_dhcpv6data-oobr.pcap hncp_dhcpv6data-oobr.out -v -c1
hncp_dhcpv4data-oobr hncp_dhcpv4data-oobr.pcap hncp_dhcpv4data-oobr.out -v -c1
Expand Down
7 changes: 7 additions & 0 deletions tests/icmp-icmp_print-oobr-1.out
@@ -0,0 +1,7 @@
IP (tos 0x4, ttl 64, id 3584, offset 0, flags [none], proto ICMP (1), length 23, bad cksum a (->1e0f)!)
22.3.2.0 > 54.209.0.0: ICMP type-#49, length 3[|icmp]
IP (tos 0x4, ttl 64, id 32512, offset 0, flags [none], proto VRRP (112), length 31, bad cksum 82 (->db96)!)
22.3.211.0 > 54.209.0.0: vrrp 22.3.211.0 > 54.209.0.0: VRRPv3, Advertisement, (ttl 64), vrid 128, prio 69[|vrrp]
c0:05:ff:ff:40:9d > 00:0c:02:49:96:7e, ethertype Unknown (0xf1ff), length 65570:
0x0000: 4404 0020 0e00 0000 4070 000a 1603 0200 D.......@p......
0x0010: 36d1 0000 3180 bc 6...1..
Binary file added tests/icmp-icmp_print-oobr-1.pcap
Binary file not shown.
5 changes: 5 additions & 0 deletions tests/icmp-icmp_print-oobr-2.out
@@ -0,0 +1,5 @@
IP truncated-ip - 39 bytes missing! (tos 0x7f,CE, ttl 254, id 40208, offset 0, flags [none], proto VRRP (112), length 68, options (unknown 69 [bad length 83]), bad cksum 9b15 (->b774)!)
250.219.91.20 > 209.150.251.64: vrrp 250.219.91.20 > 209.150.251.64: VRRPv2, Advertisement, (ttl 254)[|vrrp]
[|fr]
IP (tos 0x7f,CE, ttl 254, id 40208, offset 0, flags [none], proto ICMP (1), length 30, options (unknown 201 [bad length 255]), bad cksum 101 (->6470)!)
1.241.1.250 > 219.91.15.170: ICMP type-#255, length 2[|icmp]
Binary file added tests/icmp-icmp_print-oobr-2.pcap
Binary file not shown.

0 comments on commit 1a1bce0

Please sign in to comment.