Skip to content

Commit 3c8a2b0

Browse files
committed
CVE-2017-13048/RSVP: fix decoding of Fast Reroute objects
In rsvp_obj_print() the case block for Class-Num 205 (FAST_REROUTE) from RFC 4090 Section 4.1 could over-read accessing the buffer contents before making the bounds check. Rearrange those steps the correct way around. This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s).
1 parent 6283c99 commit 3c8a2b0

File tree

4 files changed

+9
-1
lines changed

4 files changed

+9
-1
lines changed

Diff for: print-rsvp.c

+2-1
Original file line numberDiff line numberDiff line change
@@ -1472,12 +1472,12 @@ rsvp_obj_print(netdissect_options *ndo,
14721472
case RSVP_OBJ_FASTREROUTE:
14731473
/* the differences between c-type 1 and 7 are minor */
14741474
obj_ptr.rsvp_obj_frr = (const struct rsvp_obj_frr_t *)obj_tptr;
1475-
bw.i = EXTRACT_32BITS(obj_ptr.rsvp_obj_frr->bandwidth);
14761475

14771476
switch(rsvp_obj_ctype) {
14781477
case RSVP_CTYPE_1: /* new style */
14791478
if (obj_tlen < sizeof(struct rsvp_obj_frr_t))
14801479
return-1;
1480+
bw.i = EXTRACT_32BITS(obj_ptr.rsvp_obj_frr->bandwidth);
14811481
ND_PRINT((ndo, "%s Setup Priority: %u, Holding Priority: %u, Hop-limit: %u, Bandwidth: %.10g Mbps",
14821482
ident,
14831483
(int)obj_ptr.rsvp_obj_frr->setup_prio,
@@ -1496,6 +1496,7 @@ rsvp_obj_print(netdissect_options *ndo,
14961496
case RSVP_CTYPE_TUNNEL_IPV4: /* old style */
14971497
if (obj_tlen < 16)
14981498
return-1;
1499+
bw.i = EXTRACT_32BITS(obj_ptr.rsvp_obj_frr->bandwidth);
14991500
ND_PRINT((ndo, "%s Setup Priority: %u, Holding Priority: %u, Hop-limit: %u, Bandwidth: %.10g Mbps",
15001501
ident,
15011502
(int)obj_ptr.rsvp_obj_frr->setup_prio,

Diff for: tests/TESTLIST

+1
Original file line numberDiff line numberDiff line change
@@ -565,6 +565,7 @@ hncp_dhcpv4data-oobr hncp_dhcpv4data-oobr.pcap hncp_dhcpv4data-oobr.out -v -c1
565565
vqp-oobr vqp-oobr.pcap vqp-oobr.out -v -c1
566566
bgp_pmsi_tunnel-oobr bgp_pmsi_tunnel-oobr.pcap bgp_pmsi_tunnel-oobr.out -v -c1
567567
bgp_mvpn_6_and_7 bgp_mvpn_6_and_7.pcap bgp_mvpn_6_and_7.out -v -c1
568+
rsvp_fast_reroute-oobr rsvp_fast_reroute-oobr.pcap rsvp_fast_reroute-oobr.out -v -c1
568569

569570
# bad packets from Katie Holly
570571
mlppp-oobr mlppp-oobr.pcap mlppp-oobr.out

Diff for: tests/rsvp_fast_reroute-oobr.out

+6
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
IP (tos 0x0, ttl 224, id 17920, offset 0, flags [none], proto RSVP (46), length 42024, bad cksum 3700 (->fc41)!)
2+
0.203.243.128 > 0.26.0.0:
3+
RSVPv1 Path Message (1), Flags: [Refresh reduction capable], length: 41218, ttl: 227, checksum: 0x00f4
4+
Fast Re-Route Object (205) Flags: [ignore and forward if unknown], Class-Type: Unknown (0), length: 4
5+
Fast Re-Route Object (205) Flags: [ignore and forward if unknown], Class-Type: Unknown (0), length: 4
6+
[|rsvp]

Diff for: tests/rsvp_fast_reroute-oobr.pcap

114 Bytes
Binary file not shown.

0 commit comments

Comments
 (0)