Skip to content
Permalink
Browse files

CVE-2017-13028/BOOTP: Add a bounds check before fetching data

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't cause 'tcpdump: pcap_loop: truncated dump file'
  • Loading branch information...
fxlb authored and infrastation committed Mar 22, 2017
1 parent a77ff09 commit 29e5470e6ab84badbc31f4532bb7554a796d9d52
Showing with 4 additions and 0 deletions.
  1. +1 −0 print-bootp.c
  2. +1 −0 tests/TESTLIST
  3. +2 −0 tests/bootp_asan.out
  4. BIN tests/bootp_asan.pcap
@@ -322,6 +322,7 @@ bootp_print(netdissect_options *ndo,
if (EXTRACT_16BITS(&bp->bp_secs))
ND_PRINT((ndo, ", secs %d", EXTRACT_16BITS(&bp->bp_secs)));

ND_TCHECK(bp->bp_flags);
ND_PRINT((ndo, ", Flags [%s]",
bittok2str(bootp_flag_values, "none", EXTRACT_16BITS(&bp->bp_flags))));
if (ndo->ndo_vflag > 1)
@@ -533,6 +533,7 @@ isis_stlv_asan-2 isis_stlv_asan-2.pcap isis_stlv_asan-2.out -v
isis_stlv_asan-3 isis_stlv_asan-3.pcap isis_stlv_asan-3.out -v
isis_stlv_asan-4 isis_stlv_asan-4.pcap isis_stlv_asan-4.out -v
lldp_mgmt_addr_tlv_asan lldp_mgmt_addr_tlv_asan.pcap lldp_mgmt_addr_tlv_asan.out -v
bootp_asan bootp_asan.pcap bootp_asan.out -v

# RTP tests
# fuzzed pcap
@@ -0,0 +1,2 @@
IP (tos 0x0, ttl 252, id 40207, offset 0, flags [+, DF, rsvd], proto UDP (17), length 60951, bad cksum ff (->8336)!)
18.0.0.15.16896 > 107.95.83.32.68: BOOTP/DHCP, unknown (0x00), length 59384, htype 0, hlen 0, hops 13, xid 0x14000000, secs 3328 [|bootp]
BIN +130 Bytes tests/bootp_asan.pcap
Binary file not shown.

0 comments on commit 29e5470

Please sign in to comment.
You can’t perform that action at this time.