Skip to content

Commit 5d0d76e

Browse files
committed
CVE-2017-13055/IS-IS: fix an Extended IS Reachability sub-TLV
In isis_print_is_reach_subtlv() one of the case blocks did not check that the sub-TLV "V" is actually present and could over-read the input buffer. Add a length check to fix that and remove a useless boundary check from a loop because the boundary is tested for the full length of "V" before the switch block. Update one of the prior test cases as it turns out it depended on this previously incorrect code path to make it to its own malformed structure further down the buffer, the bugfix has changed its output. This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s).
1 parent 5d340a5 commit 5d0d76e

5 files changed

+194
-272
lines changed

Diff for: print-isoclns.c

+2-1
Original file line numberDiff line numberDiff line change
@@ -1861,14 +1861,15 @@ isis_print_is_reach_subtlv(netdissect_options *ndo,
18611861
break;
18621862
case ISIS_SUBTLV_EXT_IS_REACH_BW_CONSTRAINTS: /* fall through */
18631863
case ISIS_SUBTLV_EXT_IS_REACH_BW_CONSTRAINTS_OLD:
1864+
if (subl == 0)
1865+
break;
18641866
ND_PRINT((ndo, "%sBandwidth Constraints Model ID: %s (%u)",
18651867
ident,
18661868
tok2str(diffserv_te_bc_values, "unknown", *tptr),
18671869
*tptr));
18681870
tptr++;
18691871
/* decode BCs until the subTLV ends */
18701872
for (te_class = 0; te_class < (subl-1)/4; te_class++) {
1871-
ND_TCHECK2(*tptr, 4);
18721873
bw.i = EXTRACT_32BITS(tptr);
18731874
ND_PRINT((ndo, "%s Bandwidth constraint CT%u: %.3f Mbps",
18741875
ident,

Diff for: tests/TESTLIST

+1
Original file line numberDiff line numberDiff line change
@@ -574,6 +574,7 @@ rpki-rtr-oob rpki-rtr-oob.pcap rpki-rtr-oob.out -v -c1
574574
lldp_8023_mtu-oobr lldp_8023_mtu-oobr.pcap lldp_8023_mtu-oobr.out -v -c1
575575
bgp_vpn_rt-oobr bgp_vpn_rt-oobr.pcap bgp_vpn_rt-oobr.out -v -c1
576576
cfm_sender_id-oobr cfm_sender_id-oobr.pcap cfm_sender_id-oobr.out -v -c1
577+
isis-extd-isreach-oobr isis-extd-isreach-oobr.pcap isis-extd-isreach-oobr.out -v -c4
577578

578579
# bad packets from Katie Holly
579580
mlppp-oobr mlppp-oobr.pcap mlppp-oobr.out

Diff for: tests/isis-extd-isreach-oobr.out

+39
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
OSI NLPID 0xfe unknown, length: 33554428
2+
0x0000: fe7f 4a01 0066 0002 00ff ffff f200 0000
3+
0x0010: 00c6 0000 007f e6ff 00e6 6800 0000
4+
unknown CHDLC protocol (0xfafe)
5+
OSI NLPID 0xfe unknown, length: 33554428
6+
0x0000: fe7f 4a01 f165 0002 0000 0000 0000 0000
7+
0x0010: 00c6 0000 007f e6ff 00e6 6800 0000
8+
IS-IS, length 33554427
9+
L2 Lan IIH, hlen: 27, v: 1, pdu-v: 1, sys-id-len: 6 (0), max-area: 3 (0)
10+
source-id: 3801.0101.0101, holding time: 257s, Flags: [unknown circuit type 0x00]
11+
lan-id: 0101.0101.0100.00, Priority: 1, PDU length: 257
12+
Extended IS Reachability TLV #22, length: 12
13+
IS Neighbor: 0d0d.0d0d.0d0d.0d, Metric: 855309, sub-TLVs present (13)
14+
unknown subTLV #13, length: 13
15+
0x0000: 0d0d 0d0d 0d0d 0d0d 0d0d 0d0d 0d
16+
IS Neighbor: 0d0d.0d0d.0d0d.0d, Metric: 855309, sub-TLVs present (13)
17+
unknown subTLV #13, length: 13
18+
0x0000: 0d0d 0d0d 0d0d 0d64 0d0d 0d0d 0d
19+
IS Neighbor: 0d0d.0d0d.0d0d.0d, Metric: 855309, sub-TLVs present (13)
20+
unknown subTLV #13, length: 13
21+
0x0000: 0d0d 0d0d 0d0d 0d0d 0d0d 0d0d 0d
22+
IS Neighbor: 0d0d.0d0d.0d0d.0d, Metric: 855309, sub-TLVs present (13)
23+
unknown subTLV #13, length: 13
24+
0x0000: 1c0d 0d0d 0d0d 670d 0d0d 0d0d 0d
25+
IS Neighbor: 0d0d.0d00.0000.40, Metric: 13391955, sub-TLVs present (3)
26+
unknown subTLV #41, length: 16
27+
0x0000: 0022 0000 0000 0000 0000 0000 0000 0000
28+
IS Neighbor: 0000.0000.0a16.00, Metric: 2097279, no sub-TLVs present
29+
IS Neighbor: 0000.3604.1f01.16, Metric: 70400, no sub-TLVs present
30+
IS Neighbor: 0012.3a01.4996.01, Metric: 8838496, no sub-TLVs present
31+
IS Neighbor: 00c7.8787.8766.87, Metric: 0, sub-TLVs present (64)
32+
unknown subTLV #120, length: 22
33+
0x0000: 0101 0100 f0ff ffff ff01 0101 434c 4945
34+
0x0010: 4e54 0101 011f
35+
Link Local/Remote Identifier subTLV #4, length: 4, 0x04040404
36+
Link Local/Remote Identifier subTLV #4, length: 4, 0x04040404
37+
Link Local/Remote Identifier subTLV #4, length: 4, 0x0404000a
38+
Bandwidth Constraints subTLV #22, length: 0
39+
[|isis]

Diff for: tests/isis-extd-isreach-oobr.pcap

469 Bytes
Binary file not shown.

0 commit comments

Comments
 (0)