Skip to content

Commit 331530a

Browse files
committed
CVE-2017-13047/ES-IS: put an existing bounds check right
The bounds check in esis_print() tested one pointer at the beginning of a loop that incremented another, make the trivial fix. While at it, make the function print a standard marker when it detects truncated data and update some existing ES-IS tests respectively. This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s).
1 parent 3c8a2b0 commit 331530a

7 files changed

+12
-6
lines changed

Diff for: print-isoclns.c

+2-2
Original file line numberDiff line numberDiff line change
@@ -1334,7 +1334,7 @@ esis_print(netdissect_options *ndo,
13341334

13351335
case ESIS_OPTION_PROTOCOLS:
13361336
while (opli>0) {
1337-
ND_TCHECK(*pptr);
1337+
ND_TCHECK(*tptr);
13381338
ND_PRINT((ndo, "%s (0x%02x)",
13391339
tok2str(nlpid_values,
13401340
"unknown",
@@ -1367,7 +1367,7 @@ esis_print(netdissect_options *ndo,
13671367
pptr += opli;
13681368
}
13691369
trunc:
1370-
return;
1370+
ND_PRINT((ndo, "[|esis]"));
13711371
}
13721372

13731373
static void

Diff for: tests/TESTLIST

+1
Original file line numberDiff line numberDiff line change
@@ -566,6 +566,7 @@ vqp-oobr vqp-oobr.pcap vqp-oobr.out -v -c1
566566
bgp_pmsi_tunnel-oobr bgp_pmsi_tunnel-oobr.pcap bgp_pmsi_tunnel-oobr.out -v -c1
567567
bgp_mvpn_6_and_7 bgp_mvpn_6_and_7.pcap bgp_mvpn_6_and_7.out -v -c1
568568
rsvp_fast_reroute-oobr rsvp_fast_reroute-oobr.pcap rsvp_fast_reroute-oobr.out -v -c1
569+
esis_opt_prot-oobr esis_opt_prot-oobr.pcap esis_opt_prot-oobr.out -v -c1
569570

570571
# bad packets from Katie Holly
571572
mlppp-oobr mlppp-oobr.pcap mlppp-oobr.out

Diff for: tests/esis_opt_prot-oobr.out

+5
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
ES-IS, length 33559803
2+
redirect (6), v: 1, checksum: 0x00c6 (unverified), holding time: 2303s, length indicator: 54
3+
00.8e
4+
SNPA (length: 0): <empty>
5+
Protocols supported Option #129, length 11, value: CLNP (0x81), [|esis]

Diff for: tests/esis_opt_prot-oobr.pcap

76 Bytes
Binary file not shown.

Diff for: tests/esis_snpa_asan-3.out

+1-1
Original file line numberDiff line numberDiff line change
@@ -4,4 +4,4 @@ UI 22! ES-IS, length 65565
44
UI 22! ES-IS, length 2650865693
55
redirect (6), v: 1, checksum: 0x0300 (incorrect should be 0xbce5), holding time: 21480s, length indicator: 17
66
ec.ff00.00
7-
SNPA (length: 0): <empty>
7+
SNPA (length: 0): <empty>[|esis]

Diff for: tests/esis_snpa_asan-4.out

+2-2
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ UI 22! ES-IS, length 65565
77
redirect (6), v: 1, checksum: 0x7034 (incorrect should be 0x44ec), holding time: 21315s, length indicator: 16
88
02.0400
99
SNPA (length: 0): <empty>
10-
Unknown Option #0, length 0, value:
10+
Unknown Option #0, length 0, value: [|esis]
1111
UI 32! ES-IS, length 65565
1212
ESH (2), v: 1, checksum: 0x70a1 (incorrect should be 0xfb4e), holding time: 21315s, length indicator: 17
1313
Number of Source Addresses: 2
@@ -17,5 +17,5 @@ UI 22! ES-IS, length 4244701213
1717
redirect (6), v: 1, checksum: 0x7034 (incorrect should be 0x36fe), holding time: 21315s, length indicator: 17
1818
isonsap_string: illegal length
1919
SNPA (length: 0): <empty>
20-
NET (length: 4) 00.0000.00
20+
NET (length: 4) 00.0000.00[|esis]
2121
Q.922, invalid address

Diff for: tests/esis_snpa_asan-5.out

+1-1
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@ UI 22! ES-IS, length 65565
33
Number of Source Addresses: 3
44
NET (length: 0): isonsap_string: illegal length
55
NET (length: 4): ec.ff00.00
6-
NET (length: 0): isonsap_string: illegal length
6+
NET (length: 0): isonsap_string: illegal length[|esis]
77
UI 22! ES-IS, length 65565
88
redirect (6), v: 1, checksum: 0x7034 (incorrect should be 0x3ff0), holding time: 21315s, length indicator: 17
99
04

0 commit comments

Comments
 (0)