Skip to content

Commit 1bc78d7

Browse files
guyharrisinfrastation
authored andcommitted
CVE-2017-13032/RADIUS: Check whether a byte exists before testing its value.
Reverse the test in a for loop to test the length before testing whether we have a null byte. This fixes a buffer over-read discovered by Bhargava Shastry. Add a test using the capture file supplied by the reporter(s), modified so the capture file won't be rejected as an invalid capture. Clean up other length tests while we're at it.
1 parent 0f17359 commit 1bc78d7

File tree

4 files changed

+15
-9
lines changed

4 files changed

+15
-9
lines changed

Diff for: print-radius.c

+5-9
Original file line numberDiff line numberDiff line change
@@ -503,10 +503,7 @@ print_attr_string(netdissect_options *ndo,
503503
{
504504
case TUNNEL_PASS:
505505
if (length < 3)
506-
{
507-
ND_PRINT((ndo, "%s", tstr));
508-
return;
509-
}
506+
goto trunc;
510507
if (*data && (*data <=0x1F) )
511508
ND_PRINT((ndo, "Tag[%u] ", *data));
512509
else
@@ -526,10 +523,7 @@ print_attr_string(netdissect_options *ndo,
526523
if (*data <= 0x1F)
527524
{
528525
if (length < 1)
529-
{
530-
ND_PRINT((ndo, "%s", tstr));
531-
return;
532-
}
526+
goto trunc;
533527
if (*data)
534528
ND_PRINT((ndo, "Tag[%u] ", *data));
535529
else
@@ -539,6 +533,8 @@ print_attr_string(netdissect_options *ndo,
539533
}
540534
break;
541535
case EGRESS_VLAN_NAME:
536+
if (length < 1)
537+
goto trunc;
542538
ND_PRINT((ndo, "%s (0x%02x) ",
543539
tok2str(rfc4675_tagged,"Unknown tag",*data),
544540
*data));
@@ -547,7 +543,7 @@ print_attr_string(netdissect_options *ndo,
547543
break;
548544
}
549545

550-
for (i=0; *data && i < length ; i++, data++)
546+
for (i=0; i < length && *data; i++, data++)
551547
ND_PRINT((ndo, "%c", (*data < 32 || *data > 126) ? '.' : *data));
552548

553549
return;

Diff for: tests/TESTLIST

+1
Original file line numberDiff line numberDiff line change
@@ -541,6 +541,7 @@ pim_header_asan pim_header_asan.pcap pim_header_asan.out -v
541541
pim_header_asan-2 pim_header_asan-2.pcap pim_header_asan-2.out -v
542542
pim_header_asan-3 pim_header_asan-3.pcap pim_header_asan-3.out -v
543543
ip6_frag_asan ip6_frag_asan.pcap ip6_frag_asan.out -v
544+
radius_attr_asan radius_attr_asan.pcap radius_attr_asan.out -v
544545

545546
# RTP tests
546547
# fuzzed pcap

Diff for: tests/radius_attr_asan.out

+9
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
IP (tos 0x64, ttl 249, id 40192, offset 0, flags [+, DF, rsvd], proto UDP (17), length 299, options (unknown 235 [bad length 252]), bad cksum 8000 (->1faa)!)
2+
0.0.86.32.258 > 0.2.250.99.3799: RADIUS, length: 263
3+
Unknown Command (58), id: 0x6a, Authenticator: 0901020ed7ff03edb63a0f00cb0f00cb
4+
NAS-Port Attribute (5), length: 5, Value: ERROR: length 3 != 4
5+
Unknown Attribute (127), length: 4, Value:
6+
NAS-IP-Address Attribute (4), length: 4, Value: ERROR: length 2 != 4
7+
NAS-IP-Address Attribute (4), length: 4, Value: ERROR: length 2 != 4
8+
NAS-IP-Address Attribute (4), length: 4, Value: ERROR: length 2 != 4
9+
Callback-Id Attribute (20), length: 4, Value: .. [|radius]

Diff for: tests/radius_attr_asan.pcap

135 Bytes
Binary file not shown.

0 commit comments

Comments
 (0)