Skip to content
Permalink
Browse files

CVE-2017-13018/PGM: Add a missing bounds check.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
  • Loading branch information...
guyharris authored and infrastation committed Mar 22, 2017
1 parent 11b426e commit 26a6799b9ca80508c05cac7a9a3bef922991520b
Showing with 7 additions and 0 deletions.
  1. +4 −0 print-pgm.c
  2. +1 −0 tests/TESTLIST
  3. +2 −0 tests/pgm_opts_asan.out
  4. BIN tests/pgm_opts_asan.pcap
@@ -457,6 +457,10 @@ pgm_print(netdissect_options *ndo,
ND_PRINT((ndo, "[Total option length leaves no room for final option]"));
return;
}
if (!ND_TTEST2(*bp, 2)) {
ND_PRINT((ndo, " [|OPT]"));
return;
}
opt_type = *bp++;
opt_len = *bp++;
if (opt_len < PGM_MIN_OPT_LEN) {
@@ -519,6 +519,7 @@ esis_snpa_asan-3 esis_snpa_asan-3.pcap esis_snpa_asan-3.out -v
esis_snpa_asan-4 esis_snpa_asan-4.pcap esis_snpa_asan-4.out -v
esis_snpa_asan-5 esis_snpa_asan-5.pcap esis_snpa_asan-5.out -v
dhcp6_reconf_asan dhcp6_reconf_asan.pcap dhcp6_reconf_asan.out -v
pgm_opts_asan pgm_opts_asan.pcap pgm_opts_asan.out -v

# RTP tests
# fuzzed pcap
@@ -0,0 +1,2 @@
IP (tos 0x41,ECT(1), id 0, offset 0, flags [none], proto PGM (113), length 32639, options (unknown 89 [bad length 232]), bad cksum 5959 (->9eb9)!)
128.121.89.107 > 89.89.16.63: 128.121.89.107.4 > 89.89.16.63.225: PGM, length 0 0x3414eb1f0022 UNKNOWN type 0x1f OPTS LEN 225 OPT_1F [13] OPT_06 [26] PATH_NLA [4] [|OPT]
BIN +135 Bytes tests/pgm_opts_asan.pcap
Binary file not shown.

0 comments on commit 26a6799

Please sign in to comment.
You can’t perform that action at this time.