-
Notifications
You must be signed in to change notification settings - Fork 841
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
CVE-2017-13042/HNCP: add DHCPv6-Data bounds checks
hncp_print_rec() validates each HNCP TLV to be within the declared as well as the on-the-wire packet space. However, dhcpv6_print() in the same file didn't do the same for the DHCPv6 options within the HNCP DHCPv6-Data TLV value, which could cause an out-of-bounds read when decoding an invalid packet. Add missing checks to dhcpv6_print(). This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s).
- Loading branch information
1 parent
f4b9e24
commit 39582c0
Showing
4 changed files
with
17 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
IP6 (flowlabel 0x01cc3, hlim 234, next-header UDP (17) payload length: 11025) 400::e4ff:ffff:adf9:8900:0.1646 > 62:9de3:ff47:ebec:8206:ff00:ad:ff00.8231: hncp (11017) | ||
Future use: type=16384 (5) | ||
DHCPv6-Data (25) | ||
Unknown (4) | ||
Unknown (4) | ||
SNTP-servers (61956) (invalid) | ||
[|hncp] |
Binary file not shown.