CVE-2017-13018/PGM: Add a missing bounds check.

This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s), modified so the capture file won't be rejected as an invalid capture.
the-tcpdump-group · Sep 13, 2017 · 26a6799 · 26a6799
1 parent 11b426e
commit 26a6799
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 0 deletions.
diff --git a/print-pgm.c b/print-pgm.c
@@ -457,6 +457,10 @@ pgm_print(netdissect_options *ndo,
 		    ND_PRINT((ndo, "[Total option length leaves no room for final option]"));
 		    return;
 		}
+		if (!ND_TTEST2(*bp, 2)) {
+		    ND_PRINT((ndo, " [|OPT]"));
+		    return;
+		}
 		opt_type = *bp++;
 		opt_len = *bp++;
 		if (opt_len < PGM_MIN_OPT_LEN) {

diff --git a/tests/TESTLIST b/tests/TESTLIST
@@ -519,6 +519,7 @@ esis_snpa_asan-3	esis_snpa_asan-3.pcap		esis_snpa_asan-3.out	-v
 esis_snpa_asan-4	esis_snpa_asan-4.pcap		esis_snpa_asan-4.out	-v
 esis_snpa_asan-5	esis_snpa_asan-5.pcap		esis_snpa_asan-5.out	-v
 dhcp6_reconf_asan	dhcp6_reconf_asan.pcap		dhcp6_reconf_asan.out	-v
+pgm_opts_asan		pgm_opts_asan.pcap		pgm_opts_asan.out	-v
 
 # RTP tests
 # fuzzed pcap

diff --git a/tests/pgm_opts_asan.out b/tests/pgm_opts_asan.out
@@ -0,0 +1,2 @@
+IP (tos 0x41,ECT(1), id 0, offset 0, flags [none], proto PGM (113), length 32639, options (unknown 89 [bad length 232]), bad cksum 5959 (->9eb9)!)
+    128.121.89.107 > 89.89.16.63: 128.121.89.107.4 > 89.89.16.63.225: PGM, length 0 0x3414eb1f0022 UNKNOWN type 0x1f OPTS LEN 225 OPT_1F [13]  OPT_06 [26]  PATH_NLA [4] [|OPT]
diff --git a/tests/pgm_opts_asan.pcap b/tests/pgm_opts_asan.pcap