Skip to content

Commit

Permalink
CVE-2017-5341/OTV: add missing bounds checks
Browse files Browse the repository at this point in the history 
Interleave the bounds checking with printing to make it visible which
last protocol field was OK. This fixes a vulnerability discovered by
Brian Carpenter.
  • Loading branch information
@infrastation @fxlb
infrastation authored and fxlb committed Jan 18, 2017
1 parent d6913f7 commit 409ffe9
Show file tree
Hide file tree
Showing 4 changed files with 28 additions and 13 deletions.
30 changes: 17 additions & 13 deletions print-otv.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,27 +42,31 @@ void
otv_print(netdissect_options *ndo, const u_char *bp, u_int len)
{
uint8_t flags;
uint32_t overlay_id;
uint32_t instance_id;

if (len < 8) {
ND_PRINT((ndo, "[|OTV]"));
return;
}
ND_PRINT((ndo, "OTV, "));
if (len < 8)
goto trunc;

ND_TCHECK(*bp);
flags = *bp;
ND_PRINT((ndo, "flags [%s] (0x%02x), ", flags & 0x08 ? "I" : ".", flags));
bp += 1;

overlay_id = EXTRACT_24BITS(bp);
ND_TCHECK2(*bp, 3);
ND_PRINT((ndo, "overlay %u, ", EXTRACT_24BITS(bp)));
bp += 3;

instance_id = EXTRACT_24BITS(bp);
bp += 4;
ND_TCHECK2(*bp, 3);
ND_PRINT((ndo, "instance %u\n", EXTRACT_24BITS(bp)));
bp += 3;

ND_PRINT((ndo, "OTV, "));
ND_PRINT((ndo, "flags [%s] (0x%02x), ", flags & 0x08 ? "I" : ".", flags));
ND_PRINT((ndo, "overlay %u, ", overlay_id));
ND_PRINT((ndo, "instance %u\n", instance_id));
/* Reserved */
ND_TCHECK(*bp);
bp += 1;

ether_print(ndo, bp, len - 8, len - 8, NULL, NULL);
return;

trunc:
ND_PRINT((ndo, " [|OTV]"));
}
1 change: 1 addition & 0 deletions tests/TESTLIST
View file
Original file line number Diff line number Diff line change
Expand Up @@ -422,6 +422,7 @@ relts-0x80000000 relts-0x80000000.pcap relts-0x80000000.out -t -v -n
# bad packets from Brian Carpenter
ipv6hdr-heapoverflow ipv6hdr-heapoverflow.pcap ipv6hdr-heapoverflow.out -t
ipv6hdr-heapoverflow-v ipv6hdr-heapoverflow.pcap ipv6hdr-heapoverflow-v.out -t -v
otv-heapoverflow-1 otv-heapoverflow-1.pcap otv-heapoverflow-1.out -t -c10

# RTP tests
# fuzzed pcap
Expand Down
10 changes: 10 additions & 0 deletions tests/otv-heapoverflow-1.out
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
IP 192.168.0.134.47808 > 192.168.0.24.47808: UDP, length 6
IP 192.168.0.134.47808 > 192.168.0.24.47808: UDP, length 12
IP 192.168.0.24.47808 > 192.168.0.134.47808: UDP, length 6
IP 192.168.0.24.47808 > 192.168.0.255.47808: UDP, length 18
IP 192.168.0.105.47808 > 192.168.0.255.47808: UDP, length 25
IP 192.168.0.24.47808 > 192.168.0.134.47808: UDP, length 31
IP 192.168.0.18.47808 > 192.168.0.255.47808: UDP, length 24
IP 192.168.0.24.40896 > 192.168.0.134.47808: UDP, length 30
IP 192.168.0.24.47808 > 192.168.0.255.47808: UDP, length 20
IP 192.168.0.9.37123 > 97.34.1.224.8472: OTV, flags [I] (0x9d), overlay 12124160, [|OTV]
Binary file added tests/otv-heapoverflow-1.pcap
View file
Binary file not shown.

0 comments on commit 409ffe9

Please sign in to comment.