Permalink
Browse files

CVE-2017-13055/IS-IS: fix an Extended IS Reachability sub-TLV

In isis_print_is_reach_subtlv() one of the case blocks did not check that
the sub-TLV "V" is actually present and could over-read the input buffer.
Add a length check to fix that and remove a useless boundary check from
a loop because the boundary is tested for the full length of "V" before
the switch block.

Update one of the prior test cases as it turns out it depended on this
previously incorrect code path to make it to its own malformed structure
further down the buffer, the bugfix has changed its output.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s).
  • Loading branch information...
infrastation committed Aug 16, 2017
1 parent 5d340a5 commit 5d0d76e88ee2d3236d7e032589d6f1d4ec5f7b1e
Showing with 194 additions and 272 deletions.
  1. +2 −1 print-isoclns.c
  2. +1 −0 tests/TESTLIST
  3. +39 −0 tests/isis-extd-isreach-oobr.out
  4. BIN tests/isis-extd-isreach-oobr.pcap
  5. +152 −271 tests/isis-seg-fault-1-v.out
View
@@ -1861,14 +1861,15 @@ isis_print_is_reach_subtlv(netdissect_options *ndo,
break;
case ISIS_SUBTLV_EXT_IS_REACH_BW_CONSTRAINTS: /* fall through */
case ISIS_SUBTLV_EXT_IS_REACH_BW_CONSTRAINTS_OLD:
if (subl == 0)
break;
ND_PRINT((ndo, "%sBandwidth Constraints Model ID: %s (%u)",
ident,
tok2str(diffserv_te_bc_values, "unknown", *tptr),
*tptr));
tptr++;
/* decode BCs until the subTLV ends */
for (te_class = 0; te_class < (subl-1)/4; te_class++) {
ND_TCHECK2(*tptr, 4);
bw.i = EXTRACT_32BITS(tptr);
ND_PRINT((ndo, "%s Bandwidth constraint CT%u: %.3f Mbps",
ident,
View
@@ -574,6 +574,7 @@ rpki-rtr-oob rpki-rtr-oob.pcap rpki-rtr-oob.out -v -c1
lldp_8023_mtu-oobr lldp_8023_mtu-oobr.pcap lldp_8023_mtu-oobr.out -v -c1
bgp_vpn_rt-oobr bgp_vpn_rt-oobr.pcap bgp_vpn_rt-oobr.out -v -c1
cfm_sender_id-oobr cfm_sender_id-oobr.pcap cfm_sender_id-oobr.out -v -c1
isis-extd-isreach-oobr isis-extd-isreach-oobr.pcap isis-extd-isreach-oobr.out -v -c4
# bad packets from Katie Holly
mlppp-oobr mlppp-oobr.pcap mlppp-oobr.out
@@ -0,0 +1,39 @@
OSI NLPID 0xfe unknown, length: 33554428
0x0000: fe7f 4a01 0066 0002 00ff ffff f200 0000
0x0010: 00c6 0000 007f e6ff 00e6 6800 0000
unknown CHDLC protocol (0xfafe)
OSI NLPID 0xfe unknown, length: 33554428
0x0000: fe7f 4a01 f165 0002 0000 0000 0000 0000
0x0010: 00c6 0000 007f e6ff 00e6 6800 0000
IS-IS, length 33554427
L2 Lan IIH, hlen: 27, v: 1, pdu-v: 1, sys-id-len: 6 (0), max-area: 3 (0)
source-id: 3801.0101.0101, holding time: 257s, Flags: [unknown circuit type 0x00]
lan-id: 0101.0101.0100.00, Priority: 1, PDU length: 257
Extended IS Reachability TLV #22, length: 12
IS Neighbor: 0d0d.0d0d.0d0d.0d, Metric: 855309, sub-TLVs present (13)
unknown subTLV #13, length: 13
0x0000: 0d0d 0d0d 0d0d 0d0d 0d0d 0d0d 0d
IS Neighbor: 0d0d.0d0d.0d0d.0d, Metric: 855309, sub-TLVs present (13)
unknown subTLV #13, length: 13
0x0000: 0d0d 0d0d 0d0d 0d64 0d0d 0d0d 0d
IS Neighbor: 0d0d.0d0d.0d0d.0d, Metric: 855309, sub-TLVs present (13)
unknown subTLV #13, length: 13
0x0000: 0d0d 0d0d 0d0d 0d0d 0d0d 0d0d 0d
IS Neighbor: 0d0d.0d0d.0d0d.0d, Metric: 855309, sub-TLVs present (13)
unknown subTLV #13, length: 13
0x0000: 1c0d 0d0d 0d0d 670d 0d0d 0d0d 0d
IS Neighbor: 0d0d.0d00.0000.40, Metric: 13391955, sub-TLVs present (3)
unknown subTLV #41, length: 16
0x0000: 0022 0000 0000 0000 0000 0000 0000 0000
IS Neighbor: 0000.0000.0a16.00, Metric: 2097279, no sub-TLVs present
IS Neighbor: 0000.3604.1f01.16, Metric: 70400, no sub-TLVs present
IS Neighbor: 0012.3a01.4996.01, Metric: 8838496, no sub-TLVs present
IS Neighbor: 00c7.8787.8766.87, Metric: 0, sub-TLVs present (64)
unknown subTLV #120, length: 22
0x0000: 0101 0100 f0ff ffff ff01 0101 434c 4945
0x0010: 4e54 0101 011f
Link Local/Remote Identifier subTLV #4, length: 4, 0x04040404
Link Local/Remote Identifier subTLV #4, length: 4, 0x04040404
Link Local/Remote Identifier subTLV #4, length: 4, 0x0404000a
Bandwidth Constraints subTLV #22, length: 0
[|isis]
View
Binary file not shown.
Oops, something went wrong.

0 comments on commit 5d0d76e

Please sign in to comment.