Skip to content

Commit 2b62d1d

Browse files
guyharrisinfrastation
authored andcommitted
CVE-2017-12895/ICMP: Check the availability of data before checksumming it.
This fixes a buffer over-read discovered by Forcepoint's security researchers Otto Airamo & Antti Levomäki. Add tests using the capture files supplied by the reporter(s).
1 parent 730fc35 commit 2b62d1d

10 files changed

+42
-7
lines changed

Diff for: print-icmp.c

+10-7
Original file line numberDiff line numberDiff line change
@@ -598,7 +598,8 @@ icmp_print(netdissect_options *ndo, const u_char *bp, u_int plen, const u_char *
598598
* to check if an extension header is present. This is expedient,
599599
* however not all implementations set the length field proper.
600600
*/
601-
if (!ext_dp->icmp_length) {
601+
if (!ext_dp->icmp_length &&
602+
ND_TTEST2(ext_dp->icmp_ext_version_res, plen - ICMP_EXTD_MINLEN)) {
602603
vec[0].ptr = (const uint8_t *)(const void *)&ext_dp->icmp_ext_version_res;
603604
vec[0].len = plen - ICMP_EXTD_MINLEN;
604605
if (in_cksum(vec, 1)) {
@@ -619,12 +620,14 @@ icmp_print(netdissect_options *ndo, const u_char *bp, u_int plen, const u_char *
619620
}
620621

621622
hlen = plen - ICMP_EXTD_MINLEN;
622-
vec[0].ptr = (const uint8_t *)(const void *)&ext_dp->icmp_ext_version_res;
623-
vec[0].len = hlen;
624-
ND_PRINT((ndo, ", checksum 0x%04x (%scorrect), length %u",
625-
EXTRACT_16BITS(ext_dp->icmp_ext_checksum),
626-
in_cksum(vec, 1) ? "in" : "",
627-
hlen));
623+
if (ND_TTEST2(ext_dp->icmp_ext_version_res, hlen)) {
624+
vec[0].ptr = (const uint8_t *)(const void *)&ext_dp->icmp_ext_version_res;
625+
vec[0].len = hlen;
626+
ND_PRINT((ndo, ", checksum 0x%04x (%scorrect), length %u",
627+
EXTRACT_16BITS(ext_dp->icmp_ext_checksum),
628+
in_cksum(vec, 1) ? "in" : "",
629+
hlen));
630+
}
628631

629632
hlen -= 4; /* subtract common header size */
630633
obj_tptr = (const uint8_t *)ext_dp->icmp_ext_data;

Diff for: tests/TESTLIST

+4
Original file line numberDiff line numberDiff line change
@@ -452,6 +452,10 @@ slip-bad-direction slip-bad-direction.pcap slip-bad-direction.out -ve
452452
# bad packets from Otto Airamo and Antti Levomäki
453453
nbns-valgrind nbns-valgrind.pcap nbns-valgrind.out -vvv -e
454454
arp-oobr arp-oobr.pcap arp-oobr.out -vvv -e
455+
icmp-cksum-oobr-1 icmp-cksum-oobr-1.pcap icmp-cksum-oobr-1.out -vvv -e
456+
icmp-cksum-oobr-2 icmp-cksum-oobr-2.pcap icmp-cksum-oobr-2.out -vvv -e
457+
icmp-cksum-oobr-3 icmp-cksum-oobr-3.pcap icmp-cksum-oobr-3.out -vvv -e
458+
icmp-cksum-oobr-4 icmp-cksum-oobr-4.pcap icmp-cksum-oobr-4.out -vvv -e
455459

456460
# RTP tests
457461
# fuzzed pcap

Diff for: tests/icmp-cksum-oobr-1.out

+5
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
Out 00:16:3e:27:78:a2 ethertype IPv4 (0x0800), length 204: truncated-ip - 13723 bytes missing! (tos 0x72,ECT(0), ttl 64, id 9472, offset 0, flags [none], proto ICMP (1), length 13911, bad cksum 67ea (->8c0c)!)
2+
62.220.31.247 > 62.225.245.115: ICMP 62.220.31.247 udp port 1027 unreachable, length 13891
3+
(tos 0xa0, ttl 114, id 30054, offset 0, flags [none], proto UDP (17), length 13728, bad cksum 3f1f (->a1f)!)
4+
62.225.245.115.9109 > 62.220.31.247.1027: [bad udp cksum 0xdfe7 -> 0xdb95!] UDP, length 132
5+
MPLS extension v0 packet not supported

Diff for: tests/icmp-cksum-oobr-1.pcap

244 Bytes
Binary file not shown.

Diff for: tests/icmp-cksum-oobr-2.out

+11
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
IP (0x0021), length 244: truncated-ip - 32768 bytes missing! (tos 0x0, ttl 254, id 59168, offset 0, flags [DF], proto ICMP (1), length 33008, bad cksum 7ade (->fabd)!)
2+
10.4.0.34 > 12.4.4.4: ICMP time exceeded in-transit, length 32988
3+
(tos 0x0, ttl 1, id 42321, offset 0, flags [none], proto UDP (17), length 40)
4+
12.4.4.4.42315 > 12.1.1.1.33440: [bad udp cksum 0x1000 -> 0xbad0!] UDP, length 12
5+
MPLS extension v2
6+
Extended Payload Object (2), Class-Type: 14, length 80
7+
0x0000: 0000 000f 0001 0000 0a0a 0a0a 3f54 6869
8+
0x0010: 732d 6973 2d74 6865 2d6e 616d 652d 6f66
9+
0x0020: 2d74 6865 2d49 6e74 6572 6661 6365 2d74
10+
0x0030: 6861 742d 7765 2d61 7265 2d6c 6f6f 6b69
11+
0x0040: 6e67 2d66 6f72 2d5b 3a2d 295d[|icmp]

Diff for: tests/icmp-cksum-oobr-2.pcap

284 Bytes
Binary file not shown.

Diff for: tests/icmp-cksum-oobr-3.out

+5
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
00:00:00:00:00:00 > 00:00:00:00:00:00, ethertype IPv4 (0x0800), length 337: truncated-ip - 4096 bytes missing! (tos 0x0, ttl 64, id 30662, offset 0, flags [DF], proto ICMP (1), length 4419, bad cksum cdf9 (->bdf9)!)
2+
97.242.24.11 > 97.242.24.11: ICMP 97.242.24.11 udp port 162 unreachable, length 4399
3+
(tos 0x0, ttl 128, id 30661, offset 0, flags [DF], proto UDP (17), length 295)
4+
97.242.24.11.60377 > 97.242.24.11.162: [udp sum ok] { SNMPv1 C="trap" { Trap(251) .1.3.6.1.4.1.3830.1.1.2.2.1 97.242.24.11 enterpriseSpecific s=52 61498489 .1.3.6.1.4.1.3830.1.1.2.1.1.1=3 .1.3.6.1.4.1.3830.1.1.2.1.1.2=2 .1.3.6.1.4.1.3830.1.1.2.1.1.3="%SMSA-E-POLLERR, Polling the SMSC was not successful." .1.3.6.1.4.1.3830.1.1.2.1.1.4="OPCOM" .1.3.6.1.4.1.3830.1.1.2.1.1.5="28-OCT-2010 20:42:14.67" .1.3.6.1.4.1.3830.1.1.2.1.1.6="SMRL51" } }
5+
MPLS extension v0 packet not supported

Diff for: tests/icmp-cksum-oobr-3.pcap

456 Bytes
Binary file not shown.

Diff for: tests/icmp-cksum-oobr-4.out

+7
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
IP (0x0021), length 172: truncated-ip - 8192 bytes missing! (tos 0xc0, ttl 251, id 5047, offset 0, flags [none], proto ICMP (1), length 8360, bad cksum 7edb (->5edb)!)
2+
10.0.12.2 > 10.0.12.1: ICMP time exceeded in-transit, length 8340
3+
(tos 0x0, ttl 1, id 2574, offset 0, flags [none], proto UDP (17), length 28)
4+
10.0.12.1.49215 > 10.255.255.4.33435: [udp sum ok] UDP, length 0
5+
MPLS extension v2
6+
MPLS Stack Entry Object (1), Class-Type: 1, length 8
7+
label 16, exp 0, [S], ttl 1[|icmp]

Diff for: tests/icmp-cksum-oobr-4.pcap

288 Bytes
Binary file not shown.

0 commit comments

Comments
 (0)