Skip to content

Commit

Permalink
CVE-2017-12997/LLDP: Don't use an 8-bit loop counter.
Browse files Browse the repository at this point in the history 
If you have a

	for (i = 0; i < N; i++)

loop, you'd better make sure that i is big enough to hold N - not N-1,
N.

The TLV length here is 9 bits long, not 8 bits long, so an 8-bit loop
counter will overflow and you can loop infinitely.

This fixes an infinite loop discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.

Add tests using the capture files supplied by the reporter(s).

Clean up the output a bit while we're at it.
  • Loading branch information
@guyharris @infrastation
guyharris authored and infrastation committed Sep 13, 2017
1 parent 979dcef commit 34cec72
Show file tree
Hide file tree
Showing 6 changed files with 301 additions and 4 deletions.
8 changes: 4 additions & 4 deletions print-lldp.c
View file
Expand Up @@ -651,7 +651,7 @@ lldp_private_8021_print(netdissect_options *ndo,
int subtype, hexdump = FALSE;
u_int sublen;
u_int tval;
uint8_t i;
u_int i;

if (tlv_len < 4) {
return hexdump;
Expand Down Expand Up @@ -787,9 +787,9 @@ lldp_private_8021_print(netdissect_options *ndo,
ND_PRINT((ndo, "\n\t Application Priority Table"));
while(i<sublen) {
tval=*(tptr+i+5);
ND_PRINT((ndo, "\n\t Priority: %d, RES: %d, Sel: %d",
tval >> 5, (tval >> 3) & 0x03, (tval & 0x07)));
ND_PRINT((ndo, "Protocol ID: %d", EXTRACT_16BITS(tptr + i + 5)));
ND_PRINT((ndo, "\n\t Priority: %u, RES: %u, Sel: %u, Protocol ID: %u",
tval >> 5, (tval >> 3) & 0x03, (tval & 0x07),
EXTRACT_16BITS(tptr + i + 5)));
i=i+3;
}
break;
Expand Down
2 changes: 2 additions & 0 deletions tests/TESTLIST
View file
Expand Up @@ -479,6 +479,8 @@ dns_fwdptr dns_fwdptr.pcap dns_fwdptr.out -vvv -e
isis-areaaddr-oobr-1 isis-areaaddr-oobr-1.pcap isis-areaaddr-oobr-1.out -vvv -e
isis-areaaddr-oobr-2 isis-areaaddr-oobr-2.pcap isis-areaaddr-oobr-2.out -vvv -e
isis-extd-ipreach-oobr isis-extd-ipreach-oobr.pcap isis-extd-ipreach-oobr.out -vvv -e
lldp-infinite-loop-1 lldp-infinite-loop-1.pcap lldp-infinite-loop-1.out -vvv -e
lldp-infinite-loop-2 lldp-infinite-loop-2.pcap lldp-infinite-loop-2.out -vvv -e

# RTP tests
# fuzzed pcap
Expand Down
134 changes: 134 additions & 0 deletions tests/lldp-infinite-loop-1.out
View file
@@ -0,0 +1,134 @@
08:00:27:42:ba:59 > 01:80:c2:00:00:0e, ethertype LLDP (0x88cc), length 1755: LLDP, length 1741
Chassis ID TLV (1), length 7
Subtype MAC address (4): 08:00:27:42:ba:59
0x0000: 0408 0027 42ba 59
Port ID TLV (2), length 7
Subtype MAC address (3): 08:00:27:42:ba:59
0x0000: 0308 0027 42ba 59
Time to Live TLV (3), length 2: TTL 120s
0x0000: 0078
Organization specific TLV (127), length 6: OUI Ethernet bridged (0x0080c2)
Port VLAN Id Subtype (1)
port vlan id (PVID): 0
0x0000: 0080 c201 0000
Organization specific TLV (127), length 7: OUI Ethernet bridged (0x0080c2)
Port and Protocol VLAN ID Subtype (2)
port and protocol vlan id (PPVID): 0, flags [supported] (0x02)
0x0000: 0080 c202 0200 00
Organization specific TLV (127), length 14: OUI Ethernet bridged (0x0080c2)
VLAN name Subtype (3)
vlan id (VID): 1
vlan name: default
0x0000: 0080 c203 0001 0764 6566 6175 6c74
Organization specific TLV (127), length 13: OUI Ethernet bridged (0x0080c2)
Protocol Identity Subtype (4)
protocol identity:
0x0000: 0080 c204 0800 0042 4203 0080 08
Organization specific TLV (127), length 263: OUI Ethernet bridged (0x0080c2)
Application Priority Subtype (12)
RES: 0
Application Priority Table
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 0, RES: 0, Sel: 0, Protocol ID: 128
Priority: 0, RES: 1, Sel: 4, Protocol ID: 3072
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 4, RES: 0, Sel: 0, Protocol ID: 32962
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 6, RES: 0, Sel: 2, Protocol ID: 49676
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 0, RES: 0, Sel: 0, Protocol ID: 128
Priority: 0, RES: 1, Sel: 4, Protocol ID: 3072
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 4, RES: 0, Sel: 0, Protocol ID: 32962
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 6, RES: 0, Sel: 2, Protocol ID: 49676
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 0, RES: 0, Sel: 0, Protocol ID: 128
Priority: 0, RES: 1, Sel: 4, Protocol ID: 3072
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 4, RES: 0, Sel: 0, Protocol ID: 32962
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 6, RES: 0, Sel: 2, Protocol ID: 49676
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 0, RES: 0, Sel: 0, Protocol ID: 128
Priority: 0, RES: 1, Sel: 4, Protocol ID: 3072
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 4, RES: 0, Sel: 0, Protocol ID: 32962
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 6, RES: 0, Sel: 2, Protocol ID: 49676
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 0, RES: 0, Sel: 0, Protocol ID: 128
Priority: 0, RES: 1, Sel: 4, Protocol ID: 3072
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 4, RES: 0, Sel: 0, Protocol ID: 32962
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 6, RES: 0, Sel: 2, Protocol ID: 49676
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 0, RES: 0, Sel: 0, Protocol ID: 128
Priority: 0, RES: 1, Sel: 4, Protocol ID: 3072
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 4, RES: 0, Sel: 0, Protocol ID: 32962
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 6, RES: 0, Sel: 2, Protocol ID: 49676
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 0, RES: 0, Sel: 0, Protocol ID: 128
Priority: 0, RES: 1, Sel: 4, Protocol ID: 3072
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 4, RES: 0, Sel: 0, Protocol ID: 32962
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 6, RES: 0, Sel: 2, Protocol ID: 49676
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 0, RES: 0, Sel: 0, Protocol ID: 128
Priority: 0, RES: 1, Sel: 4, Protocol ID: 3072
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 4, RES: 0, Sel: 0, Protocol ID: 32962
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
0x0000: 0080 c20c 0000 0000 0000 0000 80c2 0c00
0x0010: 0000 0000 0000 0080 c20c 0000 0000 0000
0x0020: 0000 80c2 0c00 0000 0000 0000 0080 c20c
0x0030: 0000 0000 0000 0000 80c2 0c00 0000 0000
0x0040: 0000 0080 c20c 0000 0000 0000 0000 80c2
0x0050: 0c00 0000 0000 0000 0080 c20c 0000 0000
0x0060: 0000 0000 80c2 0c00 0000 0000 0000 0080
0x0070: c20c 0000 0000 0000 0000 80c2 0c00 0000
0x0080: 0000 0000 0080 c20c 0000 0000 0000 0000
0x0090: 80c2 0c00 0000 0000 0000 0080 c20c 0000
0x00a0: 0000 0000 0000 80c2 0c00 0000 0000 0000
0x00b0: 0080 c20c 0000 0000 0000 0000 80c2 0c00
0x00c0: 0000 0000 0000 0080 c20c 0000 0000 0000
0x00d0: 0000 80c2 0c00 0000 0000 0000 0080 c20c
0x00e0: 0000 0000 0000 0000 80c2 0c00 0000 0000
0x00f0: 0000 0080 c20c 0000 0000 0000 0000 80c2
0x0100: 0c00 0000 0000 00
End TLV (0), length 0
Binary file added tests/lldp-infinite-loop-1.pcap
View file
Binary file not shown.
161 changes: 161 additions & 0 deletions tests/lldp-infinite-loop-2.out
View file
@@ -0,0 +1,161 @@
08:00:27:0d:f1:3c > 01:80:c2:00:00:0e, ethertype LLDP (0x88cc), length 2130: LLDP, length 2116
Chassis ID TLV (1), length 7
Subtype MAC address (4): 08:00:27:0d:f1:3c
0x0000: 0408 0027 0df1 3c
Port ID TLV (2), length 7
Subtype MAC address (3): 08:00:27:0d:f1:3c
0x0000: 0308 0027 0df1 3c
Time to Live TLV (3), length 2: TTL 120s
0x0000: 0078
Organization specific TLV (127), length 6: OUI Ethernet bridged (0x0080c2)
Port VLAN Id Subtype (1)
port vlan id (PVID): 1
0x0000: 0080 c201 0001
Organization specific TLV (127), length 7: OUI Ethernet bridged (0x0080c2)
Port and Protocol VLAN ID Subtype (2)
port and protocol vlan id (PPVID): 0, flags [supported] (0x02)
0x0000: 0080 c202 0200 00
Organization specific TLV (127), length 14: OUI Ethernet bridged (0x0080c2)
VLAN name Subtype (3)
vlan id (VID): 1
vlan name: default
0x0000: 0080 c203 0001 0764 6566 6175 6c74
Organization specific TLV (127), length 13: OUI Ethernet bridged (0x0080c2)
Protocol Identity Subtype (4)
protocol identity:
0x0000: 0080 c204 0800 0042 4203 0000 03
Organization specific TLV (127), length 9: OUI Ethernet bridged (0x0080c2)
EVB Subtype (13)
EVB Bridge Status
RES: 0, BGID: 0, RRCAP: 1, RRCTR: 0
EVB Station Status
RES: 0, SGID: 0, RRREQ: 0,RRSTAT: 0
R: 7, RTE: 21, EVB Mode: EVB Bridge [1]
ROL: 0, RWD: 30, RES: 0, ROL: 0, RKA: 15
0x0000: 0080 c20d 0200 f55e 0f
Organization specific TLV (127), length 266: OUI Ethernet bridged (0x0080c2)
CDCP Subtype (14)
Role: 0, RES: 0, Scomp: 0 ChnCap: 167
SCID: 1, SVID: 1
SCID: 0, SVID: 194
SCID: 224, SVID: 0
SCID: 10, SVID: 1792
SCID: 256, SVID: 256
SCID: 12, SVID: 526
SCID: 0, SVID: 0
SCID: 2672, SVID: 16
SCID: 16, SVID: 0
SCID: 3104, SVID: 3584
SCID: 0, SVID: 167
SCID: 1, SVID: 1
SCID: 0, SVID: 194
SCID: 224, SVID: 0
SCID: 10, SVID: 1792
SCID: 256, SVID: 256
SCID: 12, SVID: 526
SCID: 0, SVID: 0
SCID: 2672, SVID: 16
SCID: 16, SVID: 0
SCID: 3104, SVID: 3584
SCID: 0, SVID: 167
SCID: 1, SVID: 1
SCID: 0, SVID: 194
SCID: 224, SVID: 0
SCID: 10, SVID: 1792
SCID: 256, SVID: 256
SCID: 12, SVID: 526
SCID: 0, SVID: 0
SCID: 2672, SVID: 16
SCID: 16, SVID: 0
SCID: 3104, SVID: 3584
SCID: 0, SVID: 167
SCID: 1, SVID: 1
SCID: 0, SVID: 194
SCID: 224, SVID: 0
SCID: 10, SVID: 1792
SCID: 256, SVID: 256
SCID: 12, SVID: 526
SCID: 0, SVID: 0
SCID: 2672, SVID: 16
SCID: 16, SVID: 0
SCID: 3104, SVID: 3584
SCID: 0, SVID: 167
SCID: 1, SVID: 1
SCID: 0, SVID: 194
SCID: 224, SVID: 0
SCID: 10, SVID: 1792
SCID: 256, SVID: 256
SCID: 12, SVID: 526
SCID: 0, SVID: 0
SCID: 2672, SVID: 16
SCID: 16, SVID: 0
SCID: 3104, SVID: 3584
SCID: 0, SVID: 167
SCID: 1, SVID: 1
SCID: 0, SVID: 194
SCID: 224, SVID: 0
SCID: 10, SVID: 1792
SCID: 256, SVID: 256
SCID: 12, SVID: 526
SCID: 0, SVID: 0
SCID: 2672, SVID: 16
SCID: 16, SVID: 0
SCID: 3104, SVID: 3584
SCID: 0, SVID: 167
SCID: 1, SVID: 1
SCID: 0, SVID: 194
SCID: 224, SVID: 0
SCID: 10, SVID: 1792
SCID: 256, SVID: 256
SCID: 12, SVID: 526
SCID: 0, SVID: 0
SCID: 2672, SVID: 16
SCID: 16, SVID: 0
SCID: 3104, SVID: 3584
SCID: 0, SVID: 167
SCID: 1, SVID: 1
SCID: 0, SVID: 194
SCID: 224, SVID: 0
SCID: 10, SVID: 1792
SCID: 256, SVID: 256
SCID: 12, SVID: 526
SCID: 0, SVID: 0
SCID: 2672, SVID: 16
SCID: 16, SVID: 0
0x0000: 0080 c20e 0000 00a7 0010 0100 00c2 0e00
0x0010: 0000 a700 1001 0000 c20e 0000 00a7 0010
0x0020: 0100 00c2 0e00 0000 a700 1001 0000 c20e
0x0030: 0000 00a7 0010 0100 00c2 0e00 0000 a700
0x0040: 1001 0000 c20e 0000 00a7 0010 0100 00c2
0x0050: 0e00 0000 a700 1001 0000 c20e 0000 00a7
0x0060: 0010 0100 00c2 0e00 0000 a700 1001 0000
0x0070: c20e 0000 00a7 0010 0100 00c2 0e00 0000
0x0080: a700 1001 0000 c20e 0000 00a7 0010 0100
0x0090: 00c2 0e00 0000 a700 1001 0000 c20e 0000
0x00a0: 00a7 0010 0100 00c2 0e00 0000 a700 1001
0x00b0: 0000 c20e 0000 00a7 0010 0100 00c2 0e00
0x00c0: 0000 a700 1001 0000 c20e 0000 00a7 0010
0x00d0: 0100 00c2 0e00 0000 a700 1001 0000 c20e
0x00e0: 0000 00a7 0010 0100 00c2 0e00 0000 a700
0x00f0: 1001 0000 c20e 0000 00a7 0010 0100 00c2
0x0100: 0e00 0000 a700 1001 0000
Unknown TLV (97), length 14
0x0000: 0000 00a7 0010 0100 00c2 0e00 0000
Unknown TLV (83), length 256
0x0000: 1001 0000 c20e 0000 00a7 0010 0100 00c2
0x0010: 0e00 0000 a700 1001 0000 c20e 0000 00a7
0x0020: 0010 0100 00c2 0e00 0000 a700 1001 0000
0x0030: c20e 0000 00a7 0010 0100 00c2 0e00 0000
0x0040: a700 1001 0000 c20e 0000 00a7 0010 0100
0x0050: 00c2 0e00 0000 a700 1001 0000 c20e 0000
0x0060: 00a7 0010 0100 00c2 0e00 0000 a700 1001
0x0070: 0000 c20e 0000 00a7 0010 0100 00c2 0e00
0x0080: 0000 a700 1001 0000 c20e 0000 00a7 0010
0x0090: 0100 00c2 0e00 0000 a700 1001 0000 c20e
0x00a0: 0000 00a7 0010 0100 00c2 0e00 0000 a700
0x00b0: 1001 0000 c20e 0000 00a7 0010 0100 00c2
0x00c0: 0e00 0000 a700 1001 0000 c20e 0000 00a7
0x00d0: 0010 0100 00c2 0e00 0000 a700 1001 0000
0x00e0: c20e 0000 00a7 0010 0100 00c2 0e00 0000
0x00f0: a700 1001 0000 c20e 0000 00a7 0010 0100
End TLV (0), length 194
Binary file added tests/lldp-infinite-loop-2.pcap
View file
Binary file not shown.

0 comments on commit 34cec72

Please sign in to comment.