Skip to content

Commit 39582c0

Browse files
committed
CVE-2017-13042/HNCP: add DHCPv6-Data bounds checks
hncp_print_rec() validates each HNCP TLV to be within the declared as well as the on-the-wire packet space. However, dhcpv6_print() in the same file didn't do the same for the DHCPv6 options within the HNCP DHCPv6-Data TLV value, which could cause an out-of-bounds read when decoding an invalid packet. Add missing checks to dhcpv6_print(). This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s).
1 parent f4b9e24 commit 39582c0

File tree

4 files changed

+17
-0
lines changed

4 files changed

+17
-0
lines changed

Diff for: print-hncp.c

+4
Original file line numberDiff line numberDiff line change
@@ -318,6 +318,8 @@ dhcpv6_print(netdissect_options *ndo,
318318

319319
i = 0;
320320
while (i < length) {
321+
if (i + 4 > length)
322+
return -1;
321323
tlv = cp + i;
322324
type = EXTRACT_16BITS(tlv);
323325
optlen = EXTRACT_16BITS(tlv + 2);
@@ -329,6 +331,8 @@ dhcpv6_print(netdissect_options *ndo,
329331

330332
ND_PRINT((ndo, "%s", tok2str(dh6opt_str, "Unknown", type)));
331333
ND_PRINT((ndo," (%u)", optlen + 4 ));
334+
if (i + 4 + optlen > length)
335+
return -1;
332336

333337
switch (type) {
334338
case DH6OPT_DNS_SERVERS:

Diff for: tests/TESTLIST

+6
Original file line numberDiff line numberDiff line change
@@ -554,6 +554,12 @@ radius_attr_asan radius_attr_asan.pcap radius_attr_asan.out -v
554554
ospf6_decode_v3_asan ospf6_decode_v3_asan.pcap ospf6_decode_v3_asan.out -v
555555
ip_ts_opts_asan ip_ts_opts_asan.pcap ip_ts_opts_asan.out -v
556556
isakmpv1-attr-oobr isakmpv1-attr-oobr.pcap isakmpv1-attr-oobr.out -v
557+
# The case below depends on the bug in print-hncp.c, which at the time of
558+
# discovery had codepoints for DHCPv6-Data and DHCPv4-Data swapped around.
559+
# After the bugfix the output will be different because of the different
560+
# code path and will not test the vulnerability unless modified respectively.
561+
# The .pcap file is truncated after the 1st packet.
562+
hncp_dhcpv6data-oobr hncp_dhcpv6data-oobr.pcap hncp_dhcpv6data-oobr.out -v -c1
557563

558564
# bad packets from Katie Holly
559565
mlppp-oobr mlppp-oobr.pcap mlppp-oobr.out

Diff for: tests/hncp_dhcpv6data-oobr.out

+7
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
IP6 (flowlabel 0x01cc3, hlim 234, next-header UDP (17) payload length: 11025) 400::e4ff:ffff:adf9:8900:0.1646 > 62:9de3:ff47:ebec:8206:ff00:ad:ff00.8231: hncp (11017)
2+
Future use: type=16384 (5)
3+
DHCPv6-Data (25)
4+
Unknown (4)
5+
Unknown (4)
6+
SNTP-servers (61956) (invalid)
7+
[|hncp]

Diff for: tests/hncp_dhcpv6data-oobr.pcap

148 Bytes
Binary file not shown.

0 commit comments

Comments
 (0)