Skip to content

Commit 26a6799

Browse files
guyharrisinfrastation
authored andcommitted
CVE-2017-13018/PGM: Add a missing bounds check.
This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s), modified so the capture file won't be rejected as an invalid capture.
1 parent 11b426e commit 26a6799

File tree

4 files changed

+7
-0
lines changed

4 files changed

+7
-0
lines changed

Diff for: print-pgm.c

+4
Original file line numberDiff line numberDiff line change
@@ -457,6 +457,10 @@ pgm_print(netdissect_options *ndo,
457457
ND_PRINT((ndo, "[Total option length leaves no room for final option]"));
458458
return;
459459
}
460+
if (!ND_TTEST2(*bp, 2)) {
461+
ND_PRINT((ndo, " [|OPT]"));
462+
return;
463+
}
460464
opt_type = *bp++;
461465
opt_len = *bp++;
462466
if (opt_len < PGM_MIN_OPT_LEN) {

Diff for: tests/TESTLIST

+1
Original file line numberDiff line numberDiff line change
@@ -519,6 +519,7 @@ esis_snpa_asan-3 esis_snpa_asan-3.pcap esis_snpa_asan-3.out -v
519519
esis_snpa_asan-4 esis_snpa_asan-4.pcap esis_snpa_asan-4.out -v
520520
esis_snpa_asan-5 esis_snpa_asan-5.pcap esis_snpa_asan-5.out -v
521521
dhcp6_reconf_asan dhcp6_reconf_asan.pcap dhcp6_reconf_asan.out -v
522+
pgm_opts_asan pgm_opts_asan.pcap pgm_opts_asan.out -v
522523

523524
# RTP tests
524525
# fuzzed pcap

Diff for: tests/pgm_opts_asan.out

+2
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
IP (tos 0x41,ECT(1), id 0, offset 0, flags [none], proto PGM (113), length 32639, options (unknown 89 [bad length 232]), bad cksum 5959 (->9eb9)!)
2+
128.121.89.107 > 89.89.16.63: 128.121.89.107.4 > 89.89.16.63.225: PGM, length 0 0x3414eb1f0022 UNKNOWN type 0x1f OPTS LEN 225 OPT_1F [13] OPT_06 [26] PATH_NLA [4] [|OPT]

Diff for: tests/pgm_opts_asan.pcap

135 Bytes
Binary file not shown.

0 commit comments

Comments
 (0)