Skip to content
Permalink
Browse files Browse the repository at this point in the history
CVE-2017-13037/IP: Add bounds checks when printing time stamp options.
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
  • Loading branch information
guyharris authored and infrastation committed Sep 13, 2017
1 parent c2f3b23 commit 2c2cfbd
Show file tree
Hide file tree
Showing 4 changed files with 14 additions and 3 deletions.
14 changes: 11 additions & 3 deletions print-ip.c
Expand Up @@ -168,7 +168,7 @@ nextproto4_cksum(netdissect_options *ndo,
return (in_cksum(vec, 2));
}

static void
static int
ip_printts(netdissect_options *ndo,
register const u_char *cp, u_int length)
{
Expand All @@ -179,16 +179,18 @@ ip_printts(netdissect_options *ndo,

if (length < 4) {
ND_PRINT((ndo, "[bad length %u]", length));
return;
return (0);
}
ND_PRINT((ndo, " TS{"));
hoplen = ((cp[3]&0xF) != IPOPT_TS_TSONLY) ? 8 : 4;
if ((length - 4) & (hoplen-1))
ND_PRINT((ndo, "[bad length %u]", length));
ND_TCHECK(cp[2]);
ptr = cp[2] - 1;
len = 0;
if (ptr < 4 || ((ptr - 4) & (hoplen-1)) || ptr > length + 1)
ND_PRINT((ndo, "[bad ptr %u]", cp[2]));
ND_TCHECK(cp[3]);
switch (cp[3]&0xF) {
case IPOPT_TS_TSONLY:
ND_PRINT((ndo, "TSONLY"));
Expand Down Expand Up @@ -217,6 +219,7 @@ ip_printts(netdissect_options *ndo,
for (len = 4; len < length; len += hoplen) {
if (ptr == len)
type = " ^ ";
ND_TCHECK2(cp[len], hoplen);
ND_PRINT((ndo, "%s%d@%s", type, EXTRACT_32BITS(&cp[len+hoplen-4]),
hoplen!=8 ? "" : ipaddr_string(ndo, &cp[len])));
type = " ";
Expand All @@ -229,6 +232,10 @@ ip_printts(netdissect_options *ndo,
ND_PRINT((ndo, " [%d hops not recorded]} ", cp[3]>>4));
else
ND_PRINT((ndo, "}"));
return (0);

trunc:
return (-1);
}

/*
Expand Down Expand Up @@ -278,7 +285,8 @@ ip_optprint(netdissect_options *ndo,
return;

case IPOPT_TS:
ip_printts(ndo, cp, option_len);
if (ip_printts(ndo, cp, option_len) == -1)
goto trunc;
break;

case IPOPT_RR: /* fall through */
Expand Down
1 change: 1 addition & 0 deletions tests/TESTLIST
Expand Up @@ -552,6 +552,7 @@ pim_header_asan-4 pim_header_asan-4.pcap pim_header_asan-4.out -v
ip6_frag_asan ip6_frag_asan.pcap ip6_frag_asan.out -v
radius_attr_asan radius_attr_asan.pcap radius_attr_asan.out -v
ospf6_decode_v3_asan ospf6_decode_v3_asan.pcap ospf6_decode_v3_asan.out -v
ip_ts_opts_asan ip_ts_opts_asan.pcap ip_ts_opts_asan.out -v

# RTP tests
# fuzzed pcap
Expand Down
2 changes: 2 additions & 0 deletions tests/ip_ts_opts_asan.out
@@ -0,0 +1,2 @@
IP (tos 0xe2,ECT(0), id 32, offset 0, flags [+, DF, rsvd], proto ICMP (1), length 65319, options (timestamp TS{[bad length 14]TS+ADDR ^ 1229070338@0.0.52.112[|ip]), bad cksum a09b (->90a7)!)
149.8.33.81 > 95.18.83.227: [|icmp]
Binary file added tests/ip_ts_opts_asan.pcap
Binary file not shown.

0 comments on commit 2c2cfbd

Please sign in to comment.