Skip to content

Commit 2d66986

Browse files
guyharrisinfrastation
authored andcommitted
CVE-2017-13031/Check for the presence of the entire IPv6 fragment header.
This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s), modified so the capture file won't be rejected as an invalid capture. Clean up some whitespace in tests/TESTLIST while we're at it.
1 parent eb8c0d4 commit 2d66986

File tree

4 files changed

+6
-4
lines changed

4 files changed

+6
-4
lines changed

Diff for: print-frag6.c

+1-1
Original file line numberDiff line numberDiff line change
@@ -41,7 +41,7 @@ frag6_print(netdissect_options *ndo, register const u_char *bp, register const u
4141
dp = (const struct ip6_frag *)bp;
4242
ip6 = (const struct ip6_hdr *)bp2;
4343

44-
ND_TCHECK(dp->ip6f_offlg);
44+
ND_TCHECK(*dp);
4545

4646
if (ndo->ndo_vflag) {
4747
ND_PRINT((ndo, "frag (0x%08x:%d|%ld)",

Diff for: tests/TESTLIST

+4-3
Original file line numberDiff line numberDiff line change
@@ -536,9 +536,10 @@ isis_stlv_asan-4 isis_stlv_asan-4.pcap isis_stlv_asan-4.out -v
536536
lldp_mgmt_addr_tlv_asan lldp_mgmt_addr_tlv_asan.pcap lldp_mgmt_addr_tlv_asan.out -v
537537
bootp_asan bootp_asan.pcap bootp_asan.out -v
538538
ppp_ccp_config_deflate_option_asan ppp_ccp_config_deflate_option_asan.pcap ppp_ccp_config_deflate_option_asan.out -v
539-
pim_header_asan pim_header_asan.pcap pim_header_asan.out -v
540-
pim_header_asan-2 pim_header_asan-2.pcap pim_header_asan-2.out -v
541-
pim_header_asan-3 pim_header_asan-3.pcap pim_header_asan-3.out -v
539+
pim_header_asan pim_header_asan.pcap pim_header_asan.out -v
540+
pim_header_asan-2 pim_header_asan-2.pcap pim_header_asan-2.out -v
541+
pim_header_asan-3 pim_header_asan-3.pcap pim_header_asan-3.out -v
542+
ip6_frag_asan ip6_frag_asan.pcap ip6_frag_asan.out -v
542543

543544
# RTP tests
544545
# fuzzed pcap

Diff for: tests/ip6_frag_asan.out

+1
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
IP6 (class 0x51, flowlabel 0xb2100, hlim 16, next-header Fragment (44) payload length: 27136) 452:22:19:0:41a:e4ff:10ff:484d > 2243:80:1400:100:19:ffff:ffff:fffb: [|frag]

Diff for: tests/ip6_frag_asan.pcap

100 Bytes
Binary file not shown.

0 commit comments

Comments
 (0)