Skip to content

Commit 34cec72

Browse files
guyharrisinfrastation
authored andcommitted
CVE-2017-12997/LLDP: Don't use an 8-bit loop counter.
If you have a for (i = 0; i < N; i++) loop, you'd better make sure that i is big enough to hold N - not N-1, N. The TLV length here is 9 bits long, not 8 bits long, so an 8-bit loop counter will overflow and you can loop infinitely. This fixes an infinite loop discovered by Forcepoint's security researchers Otto Airamo & Antti Levomäki. Add tests using the capture files supplied by the reporter(s). Clean up the output a bit while we're at it.
1 parent 979dcef commit 34cec72

6 files changed

+301
-4
lines changed

Diff for: print-lldp.c

+4-4
Original file line numberDiff line numberDiff line change
@@ -651,7 +651,7 @@ lldp_private_8021_print(netdissect_options *ndo,
651651
int subtype, hexdump = FALSE;
652652
u_int sublen;
653653
u_int tval;
654-
uint8_t i;
654+
u_int i;
655655

656656
if (tlv_len < 4) {
657657
return hexdump;
@@ -787,9 +787,9 @@ lldp_private_8021_print(netdissect_options *ndo,
787787
ND_PRINT((ndo, "\n\t Application Priority Table"));
788788
while(i<sublen) {
789789
tval=*(tptr+i+5);
790-
ND_PRINT((ndo, "\n\t Priority: %d, RES: %d, Sel: %d",
791-
tval >> 5, (tval >> 3) & 0x03, (tval & 0x07)));
792-
ND_PRINT((ndo, "Protocol ID: %d", EXTRACT_16BITS(tptr + i + 5)));
790+
ND_PRINT((ndo, "\n\t Priority: %u, RES: %u, Sel: %u, Protocol ID: %u",
791+
tval >> 5, (tval >> 3) & 0x03, (tval & 0x07),
792+
EXTRACT_16BITS(tptr + i + 5)));
793793
i=i+3;
794794
}
795795
break;

Diff for: tests/TESTLIST

+2
Original file line numberDiff line numberDiff line change
@@ -479,6 +479,8 @@ dns_fwdptr dns_fwdptr.pcap dns_fwdptr.out -vvv -e
479479
isis-areaaddr-oobr-1 isis-areaaddr-oobr-1.pcap isis-areaaddr-oobr-1.out -vvv -e
480480
isis-areaaddr-oobr-2 isis-areaaddr-oobr-2.pcap isis-areaaddr-oobr-2.out -vvv -e
481481
isis-extd-ipreach-oobr isis-extd-ipreach-oobr.pcap isis-extd-ipreach-oobr.out -vvv -e
482+
lldp-infinite-loop-1 lldp-infinite-loop-1.pcap lldp-infinite-loop-1.out -vvv -e
483+
lldp-infinite-loop-2 lldp-infinite-loop-2.pcap lldp-infinite-loop-2.out -vvv -e
482484

483485
# RTP tests
484486
# fuzzed pcap

Diff for: tests/lldp-infinite-loop-1.out

+134
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,134 @@
1+
08:00:27:42:ba:59 > 01:80:c2:00:00:0e, ethertype LLDP (0x88cc), length 1755: LLDP, length 1741
2+
Chassis ID TLV (1), length 7
3+
Subtype MAC address (4): 08:00:27:42:ba:59
4+
0x0000: 0408 0027 42ba 59
5+
Port ID TLV (2), length 7
6+
Subtype MAC address (3): 08:00:27:42:ba:59
7+
0x0000: 0308 0027 42ba 59
8+
Time to Live TLV (3), length 2: TTL 120s
9+
0x0000: 0078
10+
Organization specific TLV (127), length 6: OUI Ethernet bridged (0x0080c2)
11+
Port VLAN Id Subtype (1)
12+
port vlan id (PVID): 0
13+
0x0000: 0080 c201 0000
14+
Organization specific TLV (127), length 7: OUI Ethernet bridged (0x0080c2)
15+
Port and Protocol VLAN ID Subtype (2)
16+
port and protocol vlan id (PPVID): 0, flags [supported] (0x02)
17+
0x0000: 0080 c202 0200 00
18+
Organization specific TLV (127), length 14: OUI Ethernet bridged (0x0080c2)
19+
VLAN name Subtype (3)
20+
vlan id (VID): 1
21+
vlan name: default
22+
0x0000: 0080 c203 0001 0764 6566 6175 6c74
23+
Organization specific TLV (127), length 13: OUI Ethernet bridged (0x0080c2)
24+
Protocol Identity Subtype (4)
25+
protocol identity:
26+
0x0000: 0080 c204 0800 0042 4203 0080 08
27+
Organization specific TLV (127), length 263: OUI Ethernet bridged (0x0080c2)
28+
Application Priority Subtype (12)
29+
RES: 0
30+
Application Priority Table
31+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
32+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
33+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 128
34+
Priority: 0, RES: 1, Sel: 4, Protocol ID: 3072
35+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
36+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
37+
Priority: 4, RES: 0, Sel: 0, Protocol ID: 32962
38+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
39+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
40+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
41+
Priority: 6, RES: 0, Sel: 2, Protocol ID: 49676
42+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
43+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
44+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 128
45+
Priority: 0, RES: 1, Sel: 4, Protocol ID: 3072
46+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
47+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
48+
Priority: 4, RES: 0, Sel: 0, Protocol ID: 32962
49+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
50+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
51+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
52+
Priority: 6, RES: 0, Sel: 2, Protocol ID: 49676
53+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
54+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
55+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 128
56+
Priority: 0, RES: 1, Sel: 4, Protocol ID: 3072
57+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
58+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
59+
Priority: 4, RES: 0, Sel: 0, Protocol ID: 32962
60+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
61+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
62+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
63+
Priority: 6, RES: 0, Sel: 2, Protocol ID: 49676
64+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
65+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
66+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 128
67+
Priority: 0, RES: 1, Sel: 4, Protocol ID: 3072
68+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
69+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
70+
Priority: 4, RES: 0, Sel: 0, Protocol ID: 32962
71+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
72+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
73+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
74+
Priority: 6, RES: 0, Sel: 2, Protocol ID: 49676
75+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
76+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
77+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 128
78+
Priority: 0, RES: 1, Sel: 4, Protocol ID: 3072
79+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
80+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
81+
Priority: 4, RES: 0, Sel: 0, Protocol ID: 32962
82+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
83+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
84+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
85+
Priority: 6, RES: 0, Sel: 2, Protocol ID: 49676
86+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
87+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
88+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 128
89+
Priority: 0, RES: 1, Sel: 4, Protocol ID: 3072
90+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
91+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
92+
Priority: 4, RES: 0, Sel: 0, Protocol ID: 32962
93+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
94+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
95+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
96+
Priority: 6, RES: 0, Sel: 2, Protocol ID: 49676
97+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
98+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
99+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 128
100+
Priority: 0, RES: 1, Sel: 4, Protocol ID: 3072
101+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
102+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
103+
Priority: 4, RES: 0, Sel: 0, Protocol ID: 32962
104+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
105+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
106+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
107+
Priority: 6, RES: 0, Sel: 2, Protocol ID: 49676
108+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
109+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
110+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 128
111+
Priority: 0, RES: 1, Sel: 4, Protocol ID: 3072
112+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
113+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
114+
Priority: 4, RES: 0, Sel: 0, Protocol ID: 32962
115+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
116+
Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
117+
0x0000: 0080 c20c 0000 0000 0000 0000 80c2 0c00
118+
0x0010: 0000 0000 0000 0080 c20c 0000 0000 0000
119+
0x0020: 0000 80c2 0c00 0000 0000 0000 0080 c20c
120+
0x0030: 0000 0000 0000 0000 80c2 0c00 0000 0000
121+
0x0040: 0000 0080 c20c 0000 0000 0000 0000 80c2
122+
0x0050: 0c00 0000 0000 0000 0080 c20c 0000 0000
123+
0x0060: 0000 0000 80c2 0c00 0000 0000 0000 0080
124+
0x0070: c20c 0000 0000 0000 0000 80c2 0c00 0000
125+
0x0080: 0000 0000 0080 c20c 0000 0000 0000 0000
126+
0x0090: 80c2 0c00 0000 0000 0000 0080 c20c 0000
127+
0x00a0: 0000 0000 0000 80c2 0c00 0000 0000 0000
128+
0x00b0: 0080 c20c 0000 0000 0000 0000 80c2 0c00
129+
0x00c0: 0000 0000 0000 0080 c20c 0000 0000 0000
130+
0x00d0: 0000 80c2 0c00 0000 0000 0000 0080 c20c
131+
0x00e0: 0000 0000 0000 0000 80c2 0c00 0000 0000
132+
0x00f0: 0000 0080 c20c 0000 0000 0000 0000 80c2
133+
0x0100: 0c00 0000 0000 00
134+
End TLV (0), length 0

Diff for: tests/lldp-infinite-loop-1.pcap

1.75 KB
Binary file not shown.

Diff for: tests/lldp-infinite-loop-2.out

+161
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,161 @@
1+
08:00:27:0d:f1:3c > 01:80:c2:00:00:0e, ethertype LLDP (0x88cc), length 2130: LLDP, length 2116
2+
Chassis ID TLV (1), length 7
3+
Subtype MAC address (4): 08:00:27:0d:f1:3c
4+
0x0000: 0408 0027 0df1 3c
5+
Port ID TLV (2), length 7
6+
Subtype MAC address (3): 08:00:27:0d:f1:3c
7+
0x0000: 0308 0027 0df1 3c
8+
Time to Live TLV (3), length 2: TTL 120s
9+
0x0000: 0078
10+
Organization specific TLV (127), length 6: OUI Ethernet bridged (0x0080c2)
11+
Port VLAN Id Subtype (1)
12+
port vlan id (PVID): 1
13+
0x0000: 0080 c201 0001
14+
Organization specific TLV (127), length 7: OUI Ethernet bridged (0x0080c2)
15+
Port and Protocol VLAN ID Subtype (2)
16+
port and protocol vlan id (PPVID): 0, flags [supported] (0x02)
17+
0x0000: 0080 c202 0200 00
18+
Organization specific TLV (127), length 14: OUI Ethernet bridged (0x0080c2)
19+
VLAN name Subtype (3)
20+
vlan id (VID): 1
21+
vlan name: default
22+
0x0000: 0080 c203 0001 0764 6566 6175 6c74
23+
Organization specific TLV (127), length 13: OUI Ethernet bridged (0x0080c2)
24+
Protocol Identity Subtype (4)
25+
protocol identity:
26+
0x0000: 0080 c204 0800 0042 4203 0000 03
27+
Organization specific TLV (127), length 9: OUI Ethernet bridged (0x0080c2)
28+
EVB Subtype (13)
29+
EVB Bridge Status
30+
RES: 0, BGID: 0, RRCAP: 1, RRCTR: 0
31+
EVB Station Status
32+
RES: 0, SGID: 0, RRREQ: 0,RRSTAT: 0
33+
R: 7, RTE: 21, EVB Mode: EVB Bridge [1]
34+
ROL: 0, RWD: 30, RES: 0, ROL: 0, RKA: 15
35+
0x0000: 0080 c20d 0200 f55e 0f
36+
Organization specific TLV (127), length 266: OUI Ethernet bridged (0x0080c2)
37+
CDCP Subtype (14)
38+
Role: 0, RES: 0, Scomp: 0 ChnCap: 167
39+
SCID: 1, SVID: 1
40+
SCID: 0, SVID: 194
41+
SCID: 224, SVID: 0
42+
SCID: 10, SVID: 1792
43+
SCID: 256, SVID: 256
44+
SCID: 12, SVID: 526
45+
SCID: 0, SVID: 0
46+
SCID: 2672, SVID: 16
47+
SCID: 16, SVID: 0
48+
SCID: 3104, SVID: 3584
49+
SCID: 0, SVID: 167
50+
SCID: 1, SVID: 1
51+
SCID: 0, SVID: 194
52+
SCID: 224, SVID: 0
53+
SCID: 10, SVID: 1792
54+
SCID: 256, SVID: 256
55+
SCID: 12, SVID: 526
56+
SCID: 0, SVID: 0
57+
SCID: 2672, SVID: 16
58+
SCID: 16, SVID: 0
59+
SCID: 3104, SVID: 3584
60+
SCID: 0, SVID: 167
61+
SCID: 1, SVID: 1
62+
SCID: 0, SVID: 194
63+
SCID: 224, SVID: 0
64+
SCID: 10, SVID: 1792
65+
SCID: 256, SVID: 256
66+
SCID: 12, SVID: 526
67+
SCID: 0, SVID: 0
68+
SCID: 2672, SVID: 16
69+
SCID: 16, SVID: 0
70+
SCID: 3104, SVID: 3584
71+
SCID: 0, SVID: 167
72+
SCID: 1, SVID: 1
73+
SCID: 0, SVID: 194
74+
SCID: 224, SVID: 0
75+
SCID: 10, SVID: 1792
76+
SCID: 256, SVID: 256
77+
SCID: 12, SVID: 526
78+
SCID: 0, SVID: 0
79+
SCID: 2672, SVID: 16
80+
SCID: 16, SVID: 0
81+
SCID: 3104, SVID: 3584
82+
SCID: 0, SVID: 167
83+
SCID: 1, SVID: 1
84+
SCID: 0, SVID: 194
85+
SCID: 224, SVID: 0
86+
SCID: 10, SVID: 1792
87+
SCID: 256, SVID: 256
88+
SCID: 12, SVID: 526
89+
SCID: 0, SVID: 0
90+
SCID: 2672, SVID: 16
91+
SCID: 16, SVID: 0
92+
SCID: 3104, SVID: 3584
93+
SCID: 0, SVID: 167
94+
SCID: 1, SVID: 1
95+
SCID: 0, SVID: 194
96+
SCID: 224, SVID: 0
97+
SCID: 10, SVID: 1792
98+
SCID: 256, SVID: 256
99+
SCID: 12, SVID: 526
100+
SCID: 0, SVID: 0
101+
SCID: 2672, SVID: 16
102+
SCID: 16, SVID: 0
103+
SCID: 3104, SVID: 3584
104+
SCID: 0, SVID: 167
105+
SCID: 1, SVID: 1
106+
SCID: 0, SVID: 194
107+
SCID: 224, SVID: 0
108+
SCID: 10, SVID: 1792
109+
SCID: 256, SVID: 256
110+
SCID: 12, SVID: 526
111+
SCID: 0, SVID: 0
112+
SCID: 2672, SVID: 16
113+
SCID: 16, SVID: 0
114+
SCID: 3104, SVID: 3584
115+
SCID: 0, SVID: 167
116+
SCID: 1, SVID: 1
117+
SCID: 0, SVID: 194
118+
SCID: 224, SVID: 0
119+
SCID: 10, SVID: 1792
120+
SCID: 256, SVID: 256
121+
SCID: 12, SVID: 526
122+
SCID: 0, SVID: 0
123+
SCID: 2672, SVID: 16
124+
SCID: 16, SVID: 0
125+
0x0000: 0080 c20e 0000 00a7 0010 0100 00c2 0e00
126+
0x0010: 0000 a700 1001 0000 c20e 0000 00a7 0010
127+
0x0020: 0100 00c2 0e00 0000 a700 1001 0000 c20e
128+
0x0030: 0000 00a7 0010 0100 00c2 0e00 0000 a700
129+
0x0040: 1001 0000 c20e 0000 00a7 0010 0100 00c2
130+
0x0050: 0e00 0000 a700 1001 0000 c20e 0000 00a7
131+
0x0060: 0010 0100 00c2 0e00 0000 a700 1001 0000
132+
0x0070: c20e 0000 00a7 0010 0100 00c2 0e00 0000
133+
0x0080: a700 1001 0000 c20e 0000 00a7 0010 0100
134+
0x0090: 00c2 0e00 0000 a700 1001 0000 c20e 0000
135+
0x00a0: 00a7 0010 0100 00c2 0e00 0000 a700 1001
136+
0x00b0: 0000 c20e 0000 00a7 0010 0100 00c2 0e00
137+
0x00c0: 0000 a700 1001 0000 c20e 0000 00a7 0010
138+
0x00d0: 0100 00c2 0e00 0000 a700 1001 0000 c20e
139+
0x00e0: 0000 00a7 0010 0100 00c2 0e00 0000 a700
140+
0x00f0: 1001 0000 c20e 0000 00a7 0010 0100 00c2
141+
0x0100: 0e00 0000 a700 1001 0000
142+
Unknown TLV (97), length 14
143+
0x0000: 0000 00a7 0010 0100 00c2 0e00 0000
144+
Unknown TLV (83), length 256
145+
0x0000: 1001 0000 c20e 0000 00a7 0010 0100 00c2
146+
0x0010: 0e00 0000 a700 1001 0000 c20e 0000 00a7
147+
0x0020: 0010 0100 00c2 0e00 0000 a700 1001 0000
148+
0x0030: c20e 0000 00a7 0010 0100 00c2 0e00 0000
149+
0x0040: a700 1001 0000 c20e 0000 00a7 0010 0100
150+
0x0050: 00c2 0e00 0000 a700 1001 0000 c20e 0000
151+
0x0060: 00a7 0010 0100 00c2 0e00 0000 a700 1001
152+
0x0070: 0000 c20e 0000 00a7 0010 0100 00c2 0e00
153+
0x0080: 0000 a700 1001 0000 c20e 0000 00a7 0010
154+
0x0090: 0100 00c2 0e00 0000 a700 1001 0000 c20e
155+
0x00a0: 0000 00a7 0010 0100 00c2 0e00 0000 a700
156+
0x00b0: 1001 0000 c20e 0000 00a7 0010 0100 00c2
157+
0x00c0: 0e00 0000 a700 1001 0000 c20e 0000 00a7
158+
0x00d0: 0010 0100 00c2 0e00 0000 a700 1001 0000
159+
0x00e0: c20e 0000 00a7 0010 0100 00c2 0e00 0000
160+
0x00f0: a700 1001 0000 c20e 0000 00a7 0010 0100
161+
End TLV (0), length 194

Diff for: tests/lldp-infinite-loop-2.pcap

2.12 KB
Binary file not shown.

0 commit comments

Comments
 (0)