Skip to content
Permalink
Browse files Browse the repository at this point in the history
CVE-2017-13045/VQP: add some bounds checks
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s).
  • Loading branch information
infrastation committed Sep 13, 2017
1 parent c2f6833 commit 3b36ec4
Show file tree
Hide file tree
Showing 4 changed files with 18 additions and 1 deletion.
14 changes: 13 additions & 1 deletion print-vqp.c
Expand Up @@ -26,6 +26,7 @@
#include "netdissect.h"
#include "extract.h"
#include "addrtoname.h"
#include "ether.h"

#define VQP_VERSION 1
#define VQP_EXTRACT_VERSION(x) ((x)&0xFF)
Expand Down Expand Up @@ -105,13 +106,15 @@ vqp_print(netdissect_options *ndo, register const u_char *pptr, register u_int l
const u_char *tptr;
uint16_t vqp_obj_len;
uint32_t vqp_obj_type;
int tlen;
u_int tlen;
uint8_t nitems;

tptr=pptr;
tlen = len;
vqp_common_header = (const struct vqp_common_header_t *)pptr;
ND_TCHECK(*vqp_common_header);
if (sizeof(struct vqp_common_header_t) > tlen)
goto trunc;

/*
* Sanity checking of the header.
Expand Down Expand Up @@ -151,6 +154,9 @@ vqp_print(netdissect_options *ndo, register const u_char *pptr, register u_int l
while (nitems > 0 && tlen > 0) {

vqp_obj_tlv = (const struct vqp_obj_tlv_t *)tptr;
ND_TCHECK(*vqp_obj_tlv);
if (sizeof(struct vqp_obj_tlv_t) > tlen)
goto trunc;
vqp_obj_type = EXTRACT_32BITS(vqp_obj_tlv->obj_type);
vqp_obj_len = EXTRACT_16BITS(vqp_obj_tlv->obj_length);
tptr+=sizeof(struct vqp_obj_tlv_t);
Expand All @@ -167,9 +173,13 @@ vqp_print(netdissect_options *ndo, register const u_char *pptr, register u_int l

/* did we capture enough for fully decoding the object ? */
ND_TCHECK2(*tptr, vqp_obj_len);
if (vqp_obj_len > tlen)
goto trunc;

switch(vqp_obj_type) {
case VQP_OBJ_IP_ADDRESS:
if (vqp_obj_len != 4)
goto trunc;
ND_PRINT((ndo, "%s (0x%08x)", ipaddr_string(ndo, tptr), EXTRACT_32BITS(tptr)));
break;
/* those objects have similar semantics - fall through */
Expand All @@ -182,6 +192,8 @@ vqp_print(netdissect_options *ndo, register const u_char *pptr, register u_int l
/* those objects have similar semantics - fall through */
case VQP_OBJ_MAC_ADDRESS:
case VQP_OBJ_MAC_NULL:
if (vqp_obj_len != ETHER_ADDR_LEN)
goto trunc;
ND_PRINT((ndo, "%s", etheraddr_string(ndo, tptr)));
break;
default:
Expand Down
1 change: 1 addition & 0 deletions tests/TESTLIST
Expand Up @@ -562,6 +562,7 @@ isakmpv1-attr-oobr isakmpv1-attr-oobr.pcap isakmpv1-attr-oobr.out -v
hncp_dhcpv6data-oobr hncp_dhcpv6data-oobr.pcap hncp_dhcpv6data-oobr.out -v -c1
# Same comments apply to the case below.
hncp_dhcpv4data-oobr hncp_dhcpv4data-oobr.pcap hncp_dhcpv4data-oobr.out -v -c1
vqp-oobr vqp-oobr.pcap vqp-oobr.out -v -c1

# bad packets from Katie Holly
mlppp-oobr mlppp-oobr.pcap mlppp-oobr.out
Expand Down
4 changes: 4 additions & 0 deletions tests/vqp-oobr.out
@@ -0,0 +1,4 @@
IP (tos 0x0, ttl 17, id 40207, offset 0, flags [+, DF, rsvd], proto UDP (17), length 46, bad cksum 8f04 (->f897)!)
0.0.128.20.1589 > 12.251.167.8.62720:
VQPv1, unknown (127) Message, error-code unknown (31) (31), seq 0x80f90000, items 27, length 18
[|VQP]
Binary file added tests/vqp-oobr.pcap
Binary file not shown.

0 comments on commit 3b36ec4

Please sign in to comment.