Skip to content

Commit 29e5470

Browse files
fxlbinfrastation
authored andcommitted
CVE-2017-13028/BOOTP: Add a bounds check before fetching data
This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s), modified so the capture file won't cause 'tcpdump: pcap_loop: truncated dump file'
1 parent a77ff09 commit 29e5470

File tree

4 files changed

+4
-0
lines changed

4 files changed

+4
-0
lines changed

Diff for: print-bootp.c

+1
Original file line numberDiff line numberDiff line change
@@ -322,6 +322,7 @@ bootp_print(netdissect_options *ndo,
322322
if (EXTRACT_16BITS(&bp->bp_secs))
323323
ND_PRINT((ndo, ", secs %d", EXTRACT_16BITS(&bp->bp_secs)));
324324

325+
ND_TCHECK(bp->bp_flags);
325326
ND_PRINT((ndo, ", Flags [%s]",
326327
bittok2str(bootp_flag_values, "none", EXTRACT_16BITS(&bp->bp_flags))));
327328
if (ndo->ndo_vflag > 1)

Diff for: tests/TESTLIST

+1
Original file line numberDiff line numberDiff line change
@@ -533,6 +533,7 @@ isis_stlv_asan-2 isis_stlv_asan-2.pcap isis_stlv_asan-2.out -v
533533
isis_stlv_asan-3 isis_stlv_asan-3.pcap isis_stlv_asan-3.out -v
534534
isis_stlv_asan-4 isis_stlv_asan-4.pcap isis_stlv_asan-4.out -v
535535
lldp_mgmt_addr_tlv_asan lldp_mgmt_addr_tlv_asan.pcap lldp_mgmt_addr_tlv_asan.out -v
536+
bootp_asan bootp_asan.pcap bootp_asan.out -v
536537

537538
# RTP tests
538539
# fuzzed pcap

Diff for: tests/bootp_asan.out

+2
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
IP (tos 0x0, ttl 252, id 40207, offset 0, flags [+, DF, rsvd], proto UDP (17), length 60951, bad cksum ff (->8336)!)
2+
18.0.0.15.16896 > 107.95.83.32.68: BOOTP/DHCP, unknown (0x00), length 59384, htype 0, hlen 0, hops 13, xid 0x14000000, secs 3328 [|bootp]

Diff for: tests/bootp_asan.pcap

130 Bytes
Binary file not shown.

0 commit comments

Comments
 (0)