Skip to content
Permalink
Browse files

CVE-2017-13042/HNCP: add DHCPv6-Data bounds checks

hncp_print_rec() validates each HNCP TLV to be within the declared as
well as the on-the-wire packet space. However, dhcpv6_print() in the same
file didn't do the same for the DHCPv6 options within the HNCP
DHCPv6-Data TLV value, which could cause an out-of-bounds read when
decoding an invalid packet. Add missing checks to dhcpv6_print().

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s).
  • Loading branch information...
infrastation committed Jul 29, 2017
1 parent f4b9e24 commit 39582c04cc5e34054b2936b423072fb9df2ff6ef
Showing with 17 additions and 0 deletions.
  1. +4 −0 print-hncp.c
  2. +6 −0 tests/TESTLIST
  3. +7 −0 tests/hncp_dhcpv6data-oobr.out
  4. BIN tests/hncp_dhcpv6data-oobr.pcap
@@ -318,6 +318,8 @@ dhcpv6_print(netdissect_options *ndo,

i = 0;
while (i < length) {
if (i + 4 > length)
return -1;
tlv = cp + i;
type = EXTRACT_16BITS(tlv);
optlen = EXTRACT_16BITS(tlv + 2);
@@ -329,6 +331,8 @@ dhcpv6_print(netdissect_options *ndo,

ND_PRINT((ndo, "%s", tok2str(dh6opt_str, "Unknown", type)));
ND_PRINT((ndo," (%u)", optlen + 4 ));
if (i + 4 + optlen > length)
return -1;

switch (type) {
case DH6OPT_DNS_SERVERS:
@@ -554,6 +554,12 @@ radius_attr_asan radius_attr_asan.pcap radius_attr_asan.out -v
ospf6_decode_v3_asan ospf6_decode_v3_asan.pcap ospf6_decode_v3_asan.out -v
ip_ts_opts_asan ip_ts_opts_asan.pcap ip_ts_opts_asan.out -v
isakmpv1-attr-oobr isakmpv1-attr-oobr.pcap isakmpv1-attr-oobr.out -v
# The case below depends on the bug in print-hncp.c, which at the time of
# discovery had codepoints for DHCPv6-Data and DHCPv4-Data swapped around.
# After the bugfix the output will be different because of the different
# code path and will not test the vulnerability unless modified respectively.
# The .pcap file is truncated after the 1st packet.
hncp_dhcpv6data-oobr hncp_dhcpv6data-oobr.pcap hncp_dhcpv6data-oobr.out -v -c1

# bad packets from Katie Holly
mlppp-oobr mlppp-oobr.pcap mlppp-oobr.out
@@ -0,0 +1,7 @@
IP6 (flowlabel 0x01cc3, hlim 234, next-header UDP (17) payload length: 11025) 400::e4ff:ffff:adf9:8900:0.1646 > 62:9de3:ff47:ebec:8206:ff00:ad:ff00.8231: hncp (11017)
Future use: type=16384 (5)
DHCPv6-Data (25)
Unknown (4)
Unknown (4)
SNTP-servers (61956) (invalid)
[|hncp]
Binary file not shown.

0 comments on commit 39582c0

Please sign in to comment.
You can’t perform that action at this time.