Skip to content

Commit 396e94f

Browse files
committed
(for 4.9.3) CVE-2018-14469/ISAKMP: Add a missing bounds check
In ikev1_n_print() check bounds before trying to fetch the replay detection status. This fixes a buffer over-read discovered by Bhargava Shastry. Add a test using the capture file supplied by the reporter(s).
1 parent c24922e commit 396e94f

File tree

4 files changed

+10
-0
lines changed

4 files changed

+10
-0
lines changed

Diff for: print-isakmp.c

+1
Original file line numberDiff line numberDiff line change
@@ -1769,6 +1769,7 @@ ikev1_n_print(netdissect_options *ndo, u_char tpay _U_,
17691769
}
17701770
case IPSECDOI_NTYPE_REPLAY_STATUS:
17711771
ND_PRINT((ndo," status=("));
1772+
ND_TCHECK_32BITS(cp);
17721773
ND_PRINT((ndo,"replay detection %sabled",
17731774
EXTRACT_32BITS(cp) ? "en" : "dis"));
17741775
ND_PRINT((ndo,")"));

Diff for: tests/TESTLIST

+1
Original file line numberDiff line numberDiff line change
@@ -551,6 +551,7 @@ radius_attr_asan radius_attr_asan.pcap radius_attr_asan.out -v
551551
ospf6_decode_v3_asan ospf6_decode_v3_asan.pcap ospf6_decode_v3_asan.out -v
552552
ip_ts_opts_asan ip_ts_opts_asan.pcap ip_ts_opts_asan.out -v
553553
isakmpv1-attr-oobr isakmpv1-attr-oobr.pcap isakmpv1-attr-oobr.out -v
554+
isakmp-ikev1_n_print-oobr isakmp-ikev1_n_print-oobr.pcap isakmp-ikev1_n_print-oobr.out -v -c3
554555
# The .pcap file is truncated after the 1st packet.
555556
hncp_dhcpv6data-oobr hncp_dhcpv6data-oobr.pcap hncp_dhcpv6data-oobr.out -v -c1
556557
hncp_dhcpv4data-oobr hncp_dhcpv4data-oobr.pcap hncp_dhcpv4data-oobr.out -v -c1

Diff for: tests/isakmp-ikev1_n_print-oobr.out

+8
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
IP (tos 0x12,ECT(0), ttl 17, id 47119, offset 0, flags [+, DF, rsvd], proto UDP (17), length 296, bad cksum 1ff (->327b)!)
2+
80.236.128.20.500 > 12.251.0.45.49152: isakmp 2.12 msgid 10101010: child_sa ikev2_auth[V]:
3+
(n: doi=0 proto=128 type=#24577) [|#126] (len mismatch: isakmp 4278190080/ip 268)
4+
IP (tos 0x12,ECT(0), ttl 17, id 21263, offset 72, flags [+, DF, rsvd], proto unknown (40), length 296, bad cksum fbff (->9847)!)
5+
80.0.128.20 > 12.251.0.45: ip-proto-40
6+
IP (tos 0x15,ECT(1), ttl 17, id 21263, offset 0, flags [+, DF, rsvd], proto UDP (17), length 296, bad cksum 1ff (->9864)!)
7+
80.0.128.20.500 > 12.251.0.45.49152: isakmp 2.12 msgid 1010100b: child_sa ikev2_auth[V]:
8+
(n: doi=ipsec proto=#16 type=REPLAY-STATUS spi=04 status=( [|n]) (len mismatch: isakmp 620756992/ip 268)

Diff for: tests/isakmp-ikev1_n_print-oobr.pcap

376 Bytes
Binary file not shown.

0 commit comments

Comments
 (0)