CVE-2017-13004/Juniper: Add a bounds check.

This fixes a buffer over-read discovered by Forcepoint's security researchers Otto Airamo & Antti Levomäki. Add tests using the capture files supplied by the reporter(s).
the-tcpdump-group · Sep 13, 2017 · 42073d5 · 42073d5
1 parent a252119
commit 42073d5
Show file tree

Hide file tree

Showing 6 changed files with 7 additions and 0 deletions.
diff --git a/print-juniper.c b/print-juniper.c
@@ -1367,6 +1367,7 @@ juniper_parse_header(netdissect_options *ndo,
             if (ndo->ndo_eflag) ND_PRINT((ndo, ": ")); /* print demarc b/w L2/L3*/
 
 
+            ND_TCHECK_16BITS(p+l2info->cookie_len);
             l2info->proto = EXTRACT_16BITS(p+l2info->cookie_len);
             break;
         }

diff --git a/tests/TESTLIST b/tests/TESTLIST
@@ -493,6 +493,8 @@ pimv2-oobr-4		pimv2-oobr-4.pcap		pimv2-oobr-4.out		-vvv -e
 802_15_4-data		802_15_4-data.pcap		802_15_4-data.out	-vvv -e
 802_15_4_beacon		802_15_4_beacon.pcap		802_15_4_beacon.out	-vvv -e
 lmpv1_busyloop		lmpv1_busyloop.pcap		lmpv1_busyloop.out	-vvv -e
+juniper_atm1		juniper_atm1.pcap		juniper_atm1.out	-vvv -e
+juniper_es		juniper_es.pcap			juniper_es.out	-vvv -e
 
 # RTP tests
 # fuzzed pcap

diff --git a/tests/juniper_atm1.out b/tests/juniper_atm1.out
@@ -0,0 +1,2 @@
+Out 
+	Juniper PCAP Flags [none]ATM1-PIC, cookie-len 4, cookie 0x30303030: [|juniper_hdr], length 808464432
diff --git a/tests/juniper_atm1.pcap b/tests/juniper_atm1.pcap
diff --git a/tests/juniper_es.out b/tests/juniper_es.out
@@ -0,0 +1,2 @@
+Out 
+	Juniper PCAP Flags [none]ES-PIC, cookie-len 0: [|juniper_hdr], length 808464432
diff --git a/tests/juniper_es.pcap b/tests/juniper_es.pcap