Skip to content

Commit 571a6f3

Browse files
guyharrisinfrastation
authored andcommitted
CVE-2017-13035/Properly handle IS-IS IDs shorter than a system ID (MAC address).
Some of them are variable-length, with a field giving the total length, and therefore they can be shorter than 6 octets. If one is, don't run past the end. This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s), modified so the capture file won't be rejected as an invalid capture.
1 parent da6f1a6 commit 571a6f3

File tree

4 files changed

+77
-1
lines changed

4 files changed

+77
-1
lines changed

Diff for: print-isoclns.c

+5-1
Original file line numberDiff line numberDiff line change
@@ -1646,8 +1646,12 @@ isis_print_id(const uint8_t *cp, int id_len)
16461646
int i;
16471647
static char id[sizeof("xxxx.xxxx.xxxx.yy-zz")];
16481648
char *pos = id;
1649+
int sysid_len;
16491650

1650-
for (i = 1; i <= SYSTEM_ID_LEN; i++) {
1651+
sysid_len = SYSTEM_ID_LEN;
1652+
if (sysid_len > id_len)
1653+
sysid_len = id_len;
1654+
for (i = 1; i <= sysid_len; i++) {
16511655
snprintf(pos, sizeof(id) - (pos - id), "%02x", *cp++);
16521656
pos += strlen(pos);
16531657
if (i == 2 || i == 4)

Diff for: tests/TESTLIST

+1
Original file line numberDiff line numberDiff line change
@@ -539,6 +539,7 @@ isis_stlv_asan isis_stlv_asan.pcap isis_stlv_asan.out -v
539539
isis_stlv_asan-2 isis_stlv_asan-2.pcap isis_stlv_asan-2.out -v
540540
isis_stlv_asan-3 isis_stlv_asan-3.pcap isis_stlv_asan-3.out -v
541541
isis_stlv_asan-4 isis_stlv_asan-4.pcap isis_stlv_asan-4.out -v
542+
isis_sysid_asan isis_sysid_asan.pcap isis_sysid_asan.out -v
542543
lldp_mgmt_addr_tlv_asan lldp_mgmt_addr_tlv_asan.pcap lldp_mgmt_addr_tlv_asan.out -v
543544
bootp_asan bootp_asan.pcap bootp_asan.out -v
544545
bootp_asan-2 bootp_asan-2.pcap bootp_asan-2.out -v

Diff for: tests/isis_sysid_asan.out

+71
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,71 @@
1+
UI 22! IS-IS, length 469869187
2+
L2 Lan IIH, hlen: 27, v: 1, pdu-v: 1, sys-id-len: 6 (0), max-area: 224 (224)
3+
source-id: fed0.f90f.58af, holding time: 34047s, Flags: [unknown circuit type 0x00]
4+
lan-id: 0105.0088.a204.00, Priority: 65, PDU length: 4096
5+
unknown TLV #64, length: 128
6+
0x0000: ff10 8e12 0001 1b01 0000 6b00 fbcf f90f
7+
0x0010: 58af 84ff 1000 4901 0000 88a2 011c 000c
8+
0x0020: 0281 0083 1b01 0010 019d e000 fed0 f90f
9+
0x0030: 58af 84ff 1000 4101 0500 88a2 011c 0272
10+
0x0040: 0c2a 2205 831b 011c 0010 0000 0583 1b01
11+
0x0050: 0010 01ab e000 fe08 0808 0808 08cb 0808
12+
0x0060: 0808 0808 0808 0880 0008 7f08 0808 0808
13+
0x0070: 08fd 0808 080c 0608 0807 0808 0808 0408
14+
Padding TLV #8, length: 8
15+
Padding TLV #8, length: 8
16+
Padding TLV #8, length: 7
17+
Padding TLV #8, length: 8
18+
Padding TLV #8, length: 0
19+
Padding TLV #8, length: 8
20+
unknown TLV #100, length: 0
21+
unknown TLV #32, length: 16
22+
0x0000: 2020 2020 3c20 2020 2020 2020 205a 1a31
23+
IS Neighbor(s) (variable length) TLV #7, length: 238
24+
LAN address length 1 bytes
25+
IS Neighbor: 5a
26+
IS Neighbor: 45
27+
IS Neighbor: 50
28+
IS Neighbor: 48
29+
IS Neighbor: 59
30+
IS Neighbor: 52
31+
IS Neighbor: 5f
32+
IS Neighbor: 43
33+
IS Neighbor: 54
34+
IS Neighbor: 4c
35+
IS Neighbor: 08
36+
IS Neighbor: 08
37+
IS Neighbor: 08
38+
IS Neighbor: 08
39+
IS Neighbor: 08
40+
IS Neighbor: 08
41+
IS Neighbor: 08
42+
IS Neighbor: 08
43+
IS Neighbor: 08
44+
IS Neighbor: 08
45+
IS Neighbor: 08
46+
IS Neighbor: 08
47+
IS Neighbor: 08
48+
IS Neighbor: 08
49+
IS Neighbor: 08
50+
IS Neighbor: 08
51+
IS Neighbor: 08
52+
IS Neighbor: 08
53+
IS Neighbor: 08
54+
IS Neighbor: 08
55+
IS Neighbor: 00
56+
IS Neighbor: 00
57+
IS Neighbor: 08
58+
IS Neighbor: 00
59+
IS Neighbor: 20
60+
IS Neighbor: 64
61+
IS Neighbor: 00
62+
IS Neighbor: 20
63+
IS Neighbor: 10
64+
IS Neighbor: 20
65+
IS Neighbor: 20
66+
IS Neighbor: 20
67+
IS Neighbor: 20
68+
IS Neighbor: 20
69+
IS Neighbor: 20
70+
IS Neighbor: 20
71+
IS Neighbor: 20 [|isis]

Diff for: tests/isis_sysid_asan.pcap

323 Bytes
Binary file not shown.

0 commit comments

Comments
 (0)