Permalink
Browse files

CVE-2017-12895/ICMP: Check the availability of data before checksummi…

…ng it.

This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.

Add tests using the capture files supplied by the reporter(s).
  • Loading branch information...
guyharris authored and infrastation committed Feb 4, 2017
1 parent 730fc35 commit 2b62d1dda41590db29368ec7ba5f4faf3464765a
View
@@ -598,7 +598,8 @@ icmp_print(netdissect_options *ndo, const u_char *bp, u_int plen, const u_char *
* to check if an extension header is present. This is expedient,
* however not all implementations set the length field proper.
*/
if (!ext_dp->icmp_length) {
if (!ext_dp->icmp_length &&
ND_TTEST2(ext_dp->icmp_ext_version_res, plen - ICMP_EXTD_MINLEN)) {
vec[0].ptr = (const uint8_t *)(const void *)&ext_dp->icmp_ext_version_res;
vec[0].len = plen - ICMP_EXTD_MINLEN;
if (in_cksum(vec, 1)) {
@@ -619,12 +620,14 @@ icmp_print(netdissect_options *ndo, const u_char *bp, u_int plen, const u_char *
}
hlen = plen - ICMP_EXTD_MINLEN;
vec[0].ptr = (const uint8_t *)(const void *)&ext_dp->icmp_ext_version_res;
vec[0].len = hlen;
ND_PRINT((ndo, ", checksum 0x%04x (%scorrect), length %u",
EXTRACT_16BITS(ext_dp->icmp_ext_checksum),
in_cksum(vec, 1) ? "in" : "",
hlen));
if (ND_TTEST2(ext_dp->icmp_ext_version_res, hlen)) {
vec[0].ptr = (const uint8_t *)(const void *)&ext_dp->icmp_ext_version_res;
vec[0].len = hlen;
ND_PRINT((ndo, ", checksum 0x%04x (%scorrect), length %u",
EXTRACT_16BITS(ext_dp->icmp_ext_checksum),
in_cksum(vec, 1) ? "in" : "",
hlen));
}
hlen -= 4; /* subtract common header size */
obj_tptr = (const uint8_t *)ext_dp->icmp_ext_data;
View
@@ -452,6 +452,10 @@ slip-bad-direction slip-bad-direction.pcap slip-bad-direction.out -ve
# bad packets from Otto Airamo and Antti Levomäki
nbns-valgrind nbns-valgrind.pcap nbns-valgrind.out -vvv -e
arp-oobr arp-oobr.pcap arp-oobr.out -vvv -e
icmp-cksum-oobr-1 icmp-cksum-oobr-1.pcap icmp-cksum-oobr-1.out -vvv -e
icmp-cksum-oobr-2 icmp-cksum-oobr-2.pcap icmp-cksum-oobr-2.out -vvv -e
icmp-cksum-oobr-3 icmp-cksum-oobr-3.pcap icmp-cksum-oobr-3.out -vvv -e
icmp-cksum-oobr-4 icmp-cksum-oobr-4.pcap icmp-cksum-oobr-4.out -vvv -e
# RTP tests
# fuzzed pcap
@@ -0,0 +1,5 @@
Out 00:16:3e:27:78:a2 ethertype IPv4 (0x0800), length 204: truncated-ip - 13723 bytes missing! (tos 0x72,ECT(0), ttl 64, id 9472, offset 0, flags [none], proto ICMP (1), length 13911, bad cksum 67ea (->8c0c)!)
62.220.31.247 > 62.225.245.115: ICMP 62.220.31.247 udp port 1027 unreachable, length 13891
(tos 0xa0, ttl 114, id 30054, offset 0, flags [none], proto UDP (17), length 13728, bad cksum 3f1f (->a1f)!)
62.225.245.115.9109 > 62.220.31.247.1027: [bad udp cksum 0xdfe7 -> 0xdb95!] UDP, length 132
MPLS extension v0 packet not supported
Binary file not shown.
@@ -0,0 +1,11 @@
IP (0x0021), length 244: truncated-ip - 32768 bytes missing! (tos 0x0, ttl 254, id 59168, offset 0, flags [DF], proto ICMP (1), length 33008, bad cksum 7ade (->fabd)!)
10.4.0.34 > 12.4.4.4: ICMP time exceeded in-transit, length 32988
(tos 0x0, ttl 1, id 42321, offset 0, flags [none], proto UDP (17), length 40)
12.4.4.4.42315 > 12.1.1.1.33440: [bad udp cksum 0x1000 -> 0xbad0!] UDP, length 12
MPLS extension v2
Extended Payload Object (2), Class-Type: 14, length 80
0x0000: 0000 000f 0001 0000 0a0a 0a0a 3f54 6869
0x0010: 732d 6973 2d74 6865 2d6e 616d 652d 6f66
0x0020: 2d74 6865 2d49 6e74 6572 6661 6365 2d74
0x0030: 6861 742d 7765 2d61 7265 2d6c 6f6f 6b69
0x0040: 6e67 2d66 6f72 2d5b 3a2d 295d[|icmp]
Binary file not shown.
@@ -0,0 +1,5 @@
00:00:00:00:00:00 > 00:00:00:00:00:00, ethertype IPv4 (0x0800), length 337: truncated-ip - 4096 bytes missing! (tos 0x0, ttl 64, id 30662, offset 0, flags [DF], proto ICMP (1), length 4419, bad cksum cdf9 (->bdf9)!)
97.242.24.11 > 97.242.24.11: ICMP 97.242.24.11 udp port 162 unreachable, length 4399
(tos 0x0, ttl 128, id 30661, offset 0, flags [DF], proto UDP (17), length 295)
97.242.24.11.60377 > 97.242.24.11.162: [udp sum ok] { SNMPv1 C="trap" { Trap(251) .1.3.6.1.4.1.3830.1.1.2.2.1 97.242.24.11 enterpriseSpecific s=52 61498489 .1.3.6.1.4.1.3830.1.1.2.1.1.1=3 .1.3.6.1.4.1.3830.1.1.2.1.1.2=2 .1.3.6.1.4.1.3830.1.1.2.1.1.3="%SMSA-E-POLLERR, Polling the SMSC was not successful." .1.3.6.1.4.1.3830.1.1.2.1.1.4="OPCOM" .1.3.6.1.4.1.3830.1.1.2.1.1.5="28-OCT-2010 20:42:14.67" .1.3.6.1.4.1.3830.1.1.2.1.1.6="SMRL51" } }
MPLS extension v0 packet not supported
Binary file not shown.
@@ -0,0 +1,7 @@
IP (0x0021), length 172: truncated-ip - 8192 bytes missing! (tos 0xc0, ttl 251, id 5047, offset 0, flags [none], proto ICMP (1), length 8360, bad cksum 7edb (->5edb)!)
10.0.12.2 > 10.0.12.1: ICMP time exceeded in-transit, length 8340
(tos 0x0, ttl 1, id 2574, offset 0, flags [none], proto UDP (17), length 28)
10.0.12.1.49215 > 10.255.255.4.33435: [udp sum ok] UDP, length 0
MPLS extension v2
MPLS Stack Entry Object (1), Class-Type: 1, length 8
label 16, exp 0, [S], ttl 1[|icmp]
Binary file not shown.

0 comments on commit 2b62d1d

Please sign in to comment.