Skip to content

Commit 1a1bce0

Browse files
committed
(for 4.9.3) CVE-2018-14462/ICMP: Add a missing bounds check
In icmp_print(). This fixes a buffer over-read discovered by Bhargava Shastry. Add two tests using the capture files supplied by the reporter(s).
1 parent e5ec0d6 commit 1a1bce0

6 files changed

+15
-0
lines changed

Diff for: print-icmp.c

+1
Original file line numberDiff line numberDiff line change
@@ -564,6 +564,7 @@ icmp_print(netdissect_options *ndo, const u_char *bp, u_int plen, const u_char *
564564
vec[0].len = plen;
565565
sum = in_cksum(vec, 1);
566566
if (sum != 0) {
567+
ND_TCHECK_16BITS(&dp->icmp_cksum);
567568
uint16_t icmp_sum = EXTRACT_16BITS(&dp->icmp_cksum);
568569
ND_PRINT((ndo, " (wrong icmp cksum %x (->%x)!)",
569570
icmp_sum,

Diff for: tests/TESTLIST

+2
Original file line numberDiff line numberDiff line change
@@ -553,6 +553,8 @@ ip_ts_opts_asan ip_ts_opts_asan.pcap ip_ts_opts_asan.out -v
553553
isakmpv1-attr-oobr isakmpv1-attr-oobr.pcap isakmpv1-attr-oobr.out -v
554554
isakmp-ikev1_n_print-oobr isakmp-ikev1_n_print-oobr.pcap isakmp-ikev1_n_print-oobr.out -v -c3
555555
ldp-ldp_tlv_print-oobr ldp-ldp_tlv_print-oobr.pcap ldp-ldp_tlv_print-oobr.out -v -c1
556+
icmp-icmp_print-oobr-1 icmp-icmp_print-oobr-1.pcap icmp-icmp_print-oobr-1.out -v -c3
557+
icmp-icmp_print-oobr-2 icmp-icmp_print-oobr-2.pcap icmp-icmp_print-oobr-2.out -v -c3
556558
# The .pcap file is truncated after the 1st packet.
557559
hncp_dhcpv6data-oobr hncp_dhcpv6data-oobr.pcap hncp_dhcpv6data-oobr.out -v -c1
558560
hncp_dhcpv4data-oobr hncp_dhcpv4data-oobr.pcap hncp_dhcpv4data-oobr.out -v -c1

Diff for: tests/icmp-icmp_print-oobr-1.out

+7
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
IP (tos 0x4, ttl 64, id 3584, offset 0, flags [none], proto ICMP (1), length 23, bad cksum a (->1e0f)!)
2+
22.3.2.0 > 54.209.0.0: ICMP type-#49, length 3[|icmp]
3+
IP (tos 0x4, ttl 64, id 32512, offset 0, flags [none], proto VRRP (112), length 31, bad cksum 82 (->db96)!)
4+
22.3.211.0 > 54.209.0.0: vrrp 22.3.211.0 > 54.209.0.0: VRRPv3, Advertisement, (ttl 64), vrid 128, prio 69[|vrrp]
5+
c0:05:ff:ff:40:9d > 00:0c:02:49:96:7e, ethertype Unknown (0xf1ff), length 65570:
6+
0x0000: 4404 0020 0e00 0000 4070 000a 1603 0200 D.......@p......
7+
0x0010: 36d1 0000 3180 bc 6...1..

Diff for: tests/icmp-icmp_print-oobr-1.pcap

1.18 KB
Binary file not shown.

Diff for: tests/icmp-icmp_print-oobr-2.out

+5
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
IP truncated-ip - 39 bytes missing! (tos 0x7f,CE, ttl 254, id 40208, offset 0, flags [none], proto VRRP (112), length 68, options (unknown 69 [bad length 83]), bad cksum 9b15 (->b774)!)
2+
250.219.91.20 > 209.150.251.64: vrrp 250.219.91.20 > 209.150.251.64: VRRPv2, Advertisement, (ttl 254)[|vrrp]
3+
[|fr]
4+
IP (tos 0x7f,CE, ttl 254, id 40208, offset 0, flags [none], proto ICMP (1), length 30, options (unknown 201 [bad length 255]), bad cksum 101 (->6470)!)
5+
1.241.1.250 > 219.91.15.170: ICMP type-#255, length 2[|icmp]

Diff for: tests/icmp-icmp_print-oobr-2.pcap

2.46 KB
Binary file not shown.

0 commit comments

Comments
 (0)