Skip to content

Commit 4846b3c

Browse files
infrastationfxlb
authored andcommitted
(for 4.9.3) CVE-2018-16227/IEEE 802.11: add a missing bounds check
ieee802_11_print() tried to access the Mesh Flags subfield of the Mesh Control field to find the size of the latter and increment the expected 802.11 header length before checking it is fully present in the input buffer. Add an intermediate bounds check to make it safe. This fixes a buffer over-read discovered by Ryan Ackroyd. Add a test using the capture file supplied by the reporter(s).
1 parent 83a412a commit 4846b3c

File tree

4 files changed

+8
-0
lines changed

4 files changed

+8
-0
lines changed

Diff for: print-802_11.c

+4
Original file line numberDiff line numberDiff line change
@@ -2058,6 +2058,10 @@ ieee802_11_print(netdissect_options *ndo,
20582058
hdrlen = roundup2(hdrlen, 4);
20592059
if (ndo->ndo_Hflag && FC_TYPE(fc) == T_DATA &&
20602060
DATA_FRAME_IS_QOS(FC_SUBTYPE(fc))) {
2061+
if (caplen < hdrlen + 1) {
2062+
ND_PRINT((ndo, "%s", tstr));
2063+
return hdrlen;
2064+
}
20612065
meshdrlen = extract_mesh_header_length(p+hdrlen);
20622066
hdrlen += meshdrlen;
20632067
} else

Diff for: tests/TESTLIST

+3
Original file line numberDiff line numberDiff line change
@@ -602,6 +602,9 @@ ospf6_print_lshdr-oobr ospf6_print_lshdr-oobr.pcapng ospf6_print_lshdr-oobr.out
602602
rpl-dao-oobr rpl-dao-oobr.pcapng rpl-dao-oobr.out -vv -c1
603603
hncp_prefix-oobr hncp_prefix-oobr.pcapng hncp_prefix-oobr.out -vvv
604604

605+
# bad packets from Ryan Ackroyd
606+
ieee802.11_meshhdr-oobr ieee802.11_meshhdr-oobr.pcap ieee802.11_meshhdr-oobr.out -H -c1
607+
605608
# RTP tests
606609
# fuzzed pcap
607610
rtp-seg-fault-1 rtp-seg-fault-1.pcap rtp-seg-fault-1.out -v -T rtp

Diff for: tests/ieee802.11_meshhdr-oobr.out

+1
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
3472328296059908144us tsft 24.0 Mb/s 12334 MHz Turbo 48dBm noise [|802.11][|802.11]

Diff for: tests/ieee802.11_meshhdr-oobr.pcap

867 Bytes
Binary file not shown.

0 commit comments

Comments
 (0)