Skip to content
Permalink
Browse files Browse the repository at this point in the history
CVE-2017-13047/ES-IS: put an existing bounds check right
The bounds check in esis_print() tested one pointer at the beginning of
a loop that incremented another, make the trivial fix. While at it, make
the function print a standard marker when it detects truncated data and
update some existing ES-IS tests respectively.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s).
  • Loading branch information
infrastation committed Sep 13, 2017
1 parent 3c8a2b0 commit 331530a
Show file tree
Hide file tree
Showing 7 changed files with 12 additions and 6 deletions.
4 changes: 2 additions & 2 deletions print-isoclns.c
Expand Up @@ -1334,7 +1334,7 @@ esis_print(netdissect_options *ndo,

case ESIS_OPTION_PROTOCOLS:
while (opli>0) {
ND_TCHECK(*pptr);
ND_TCHECK(*tptr);
ND_PRINT((ndo, "%s (0x%02x)",
tok2str(nlpid_values,
"unknown",
Expand Down Expand Up @@ -1367,7 +1367,7 @@ esis_print(netdissect_options *ndo,
pptr += opli;
}
trunc:
return;
ND_PRINT((ndo, "[|esis]"));
}

static void
Expand Down
1 change: 1 addition & 0 deletions tests/TESTLIST
Expand Up @@ -566,6 +566,7 @@ vqp-oobr vqp-oobr.pcap vqp-oobr.out -v -c1
bgp_pmsi_tunnel-oobr bgp_pmsi_tunnel-oobr.pcap bgp_pmsi_tunnel-oobr.out -v -c1
bgp_mvpn_6_and_7 bgp_mvpn_6_and_7.pcap bgp_mvpn_6_and_7.out -v -c1
rsvp_fast_reroute-oobr rsvp_fast_reroute-oobr.pcap rsvp_fast_reroute-oobr.out -v -c1
esis_opt_prot-oobr esis_opt_prot-oobr.pcap esis_opt_prot-oobr.out -v -c1

# bad packets from Katie Holly
mlppp-oobr mlppp-oobr.pcap mlppp-oobr.out
Expand Down
5 changes: 5 additions & 0 deletions tests/esis_opt_prot-oobr.out
@@ -0,0 +1,5 @@
ES-IS, length 33559803
redirect (6), v: 1, checksum: 0x00c6 (unverified), holding time: 2303s, length indicator: 54
00.8e
SNPA (length: 0): <empty>
Protocols supported Option #129, length 11, value: CLNP (0x81), [|esis]
Binary file added tests/esis_opt_prot-oobr.pcap
Binary file not shown.
2 changes: 1 addition & 1 deletion tests/esis_snpa_asan-3.out
Expand Up @@ -4,4 +4,4 @@ UI 22! ES-IS, length 65565
UI 22! ES-IS, length 2650865693
redirect (6), v: 1, checksum: 0x0300 (incorrect should be 0xbce5), holding time: 21480s, length indicator: 17
ec.ff00.00
SNPA (length: 0): <empty>
SNPA (length: 0): <empty>[|esis]
4 changes: 2 additions & 2 deletions tests/esis_snpa_asan-4.out
Expand Up @@ -7,7 +7,7 @@ UI 22! ES-IS, length 65565
redirect (6), v: 1, checksum: 0x7034 (incorrect should be 0x44ec), holding time: 21315s, length indicator: 16
02.0400
SNPA (length: 0): <empty>
Unknown Option #0, length 0, value:
Unknown Option #0, length 0, value: [|esis]
UI 32! ES-IS, length 65565
ESH (2), v: 1, checksum: 0x70a1 (incorrect should be 0xfb4e), holding time: 21315s, length indicator: 17
Number of Source Addresses: 2
Expand All @@ -17,5 +17,5 @@ UI 22! ES-IS, length 4244701213
redirect (6), v: 1, checksum: 0x7034 (incorrect should be 0x36fe), holding time: 21315s, length indicator: 17
isonsap_string: illegal length
SNPA (length: 0): <empty>
NET (length: 4) 00.0000.00
NET (length: 4) 00.0000.00[|esis]
Q.922, invalid address
2 changes: 1 addition & 1 deletion tests/esis_snpa_asan-5.out
Expand Up @@ -3,7 +3,7 @@ UI 22! ES-IS, length 65565
Number of Source Addresses: 3
NET (length: 0): isonsap_string: illegal length
NET (length: 4): ec.ff00.00
NET (length: 0): isonsap_string: illegal length
NET (length: 0): isonsap_string: illegal length[|esis]
UI 22! ES-IS, length 65565
redirect (6), v: 1, checksum: 0x7034 (incorrect should be 0x3ff0), holding time: 21315s, length indicator: 17
04
Expand Down

0 comments on commit 331530a

Please sign in to comment.