Skip to content

Commit 3de07c7

Browse files
committed
(for 4.9.3) CVE-2018-14463/VRRP: Add a missing bounds check
In vrrp_print(). This fixes a buffer over-read discovered by Bhargava Shastry. Add a test using the capture file supplied by the reporter(s).
1 parent bea2686 commit 3de07c7

File tree

4 files changed

+10
-1
lines changed

4 files changed

+10
-1
lines changed

Diff for: print-vrrp.c

+3-1
Original file line numberDiff line numberDiff line change
@@ -142,9 +142,11 @@ vrrp_print(netdissect_options *ndo,
142142

143143
vec[0].ptr = bp;
144144
vec[0].len = len;
145-
if (in_cksum(vec, 1))
145+
if (in_cksum(vec, 1)) {
146+
ND_TCHECK_16BITS(&bp[6]);
146147
ND_PRINT((ndo, ", (bad vrrp cksum %x)",
147148
EXTRACT_16BITS(&bp[6])));
149+
}
148150
}
149151

150152
if (version == 3 && ND_TTEST2(bp[0], len)) {

Diff for: tests/TESTLIST

+1
Original file line numberDiff line numberDiff line change
@@ -556,6 +556,7 @@ ldp-ldp_tlv_print-oobr ldp-ldp_tlv_print-oobr.pcap ldp-ldp_tlv_print-oobr.out -v
556556
icmp-icmp_print-oobr-1 icmp-icmp_print-oobr-1.pcap icmp-icmp_print-oobr-1.out -v -c3
557557
icmp-icmp_print-oobr-2 icmp-icmp_print-oobr-2.pcap icmp-icmp_print-oobr-2.out -v -c3
558558
rsvp-rsvp_obj_print-oobr rsvp-rsvp_obj_print-oobr.pcap rsvp-rsvp_obj_print-oobr.out -v -c3
559+
vrrp-vrrp_print-oobr vrrp-vrrp_print-oobr.pcap vrrp-vrrp_print-oobr.out -v -c3
559560
# The .pcap file is truncated after the 1st packet.
560561
hncp_dhcpv6data-oobr hncp_dhcpv6data-oobr.pcap hncp_dhcpv6data-oobr.out -v -c1
561562
hncp_dhcpv4data-oobr hncp_dhcpv4data-oobr.pcap hncp_dhcpv4data-oobr.out -v -c1

Diff for: tests/vrrp-vrrp_print-oobr.out

+6
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
IP (tos 0x7f,CE, ttl 254, id 40208, offset 0, flags [none], proto VRRP (112), length 34, options (unknown 69 [bad length 83]), bad cksum 8e15 (->bc96)!)
2+
250.219.91.20 > 209.150.251.64: vrrp 250.219.91.20 > 209.150.251.64: VRRPv2, Advertisement, (ttl 254), vrid 2, prio 0, authtype simple, intvl 255s, length 6[|vrrp]
3+
IP (tos 0x7f,CE, ttl 254, id 40208, offset 0, flags [none], proto VRRP (112), length 40, options (unknown 69 [bad length 83]), bad cksum 8e15 (->b790)!)
4+
250.219.91.20 > 209.150.251.64: vrrp 250.219.91.20 > 209.150.251.64: VRRPv2, Advertisement, (ttl 254), vrid 2, prio 0, authtype simple, intvl 255s, length 12, addrs:[|vrrp]
5+
IP (tos 0x7f,CE, ttl 254, id 40208, offset 0, flags [none], proto VRRP (112), length 40, options (unknown 69 [bad length 83]), bad cksum 8e15 (->bc90)!)
6+
250.219.91.20 > 209.150.251.64: vrrp 250.219.91.20 > 209.150.251.64: VRRPv2, Advertisement, (ttl 254), vrid 2, prio 0, authtype simple, intvl 255s, length 12, addrs:[|vrrp]

Diff for: tests/vrrp-vrrp_print-oobr.pcap

3.79 KB
Binary file not shown.

0 commit comments

Comments
 (0)