Permalink
Browse files

CVE-2017-11543/Make sure the SLIP direction octet is valid.

Report if it's not, and don't use it as an out-of-bounds index into an
array.

This fixes a buffer overflow discovered by Wilfried Kirsch.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
  • Loading branch information...
guyharris authored and infrastation committed Mar 17, 2017
1 parent 09b1185 commit 378ac56f8055cadda55735b2a786db844d521d24
Showing with 27 additions and 2 deletions.
  1. +23 −2 print-sl.c
  2. +3 −0 tests/TESTLIST
  3. +1 −0 tests/slip-bad-direction.out
  4. BIN tests/slip-bad-direction.pcap
@@ -131,8 +131,21 @@ sliplink_print(netdissect_options *ndo,
u_int hlen;

dir = p[SLX_DIR];
ND_PRINT((ndo, dir == SLIPDIR_IN ? "I " : "O "));
switch (dir) {

case SLIPDIR_IN:
ND_PRINT((ndo, "I "));
break;

case SLIPDIR_OUT:
ND_PRINT((ndo, "O "));
break;

default:
ND_PRINT((ndo, "Invalid direction %d ", dir));
dir = -1;
break;
}
if (ndo->ndo_nflag) {
/* XXX just dump the header */
register int i;
@@ -155,13 +168,21 @@ sliplink_print(netdissect_options *ndo,
* has restored the IP header copy to IPPROTO_TCP.
*/
lastconn = ((const struct ip *)&p[SLX_CHDR])->ip_p;
ND_PRINT((ndo, "utcp %d: ", lastconn));
if (dir == -1) {
/* Direction is bogus, don't use it */
return;
}
hlen = IP_HL(ip);
hlen += TH_OFF((const struct tcphdr *)&((const int *)ip)[hlen]);
lastlen[dir][lastconn] = length - (hlen << 2);
ND_PRINT((ndo, "utcp %d: ", lastconn));
break;

default:
if (dir == -1) {
/* Direction is bogus, don't use it */
return;
}
if (p[SLX_CHDR] & TYPE_COMPRESSED_TCP) {
compressed_sl_print(ndo, &p[SLX_CHDR], ip,
length, dir);
@@ -439,6 +439,9 @@ stp-v4-length-sigsegv stp-v4-length-sigsegv.pcap stp-v4-length-sigsegv.out
hoobr_pimv1 hoobr_pimv1.pcap hoobr_pimv1.out
hoobr_safeputs hoobr_safeputs.pcap hoobr_safeputs.out

# bad packets from Wilfried Kirsch
slip-bad-direction slip-bad-direction.pcap slip-bad-direction.out -ve

# RTP tests
# fuzzed pcap
rtp-seg-fault-1 rtp-seg-fault-1.pcap rtp-seg-fault-1.out -v -T rtp
@@ -0,0 +1 @@
Invalid direction 231 e7.e7.e7.e7.e7.e7.e7.e7.e7.e7.e7.e7.e7.e7.e7: ip v14
Binary file not shown.

0 comments on commit 378ac56

Please sign in to comment.