Please sign in to comment.
CVE-2017-13052/CFM: refine decoding of the Sender ID TLV
In cfm_network_addr_print() add a length argument and use it to validate the input buffer. In cfm_print() add a length check for MAC address chassis ID. Supply cfm_network_addr_print() with the length of its buffer and a correct pointer to the buffer (it was off-by-one before). Change some error handling blocks to skip to the next TLV in the current PDU rather than to stop decoding the PDU. Print the management domain and address contents, although in hex only so far. Add some comments to clarify the code flow and to tell exact sections in IEEE standard documents. Add new error messages and make some existing messages more specific. This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s).
- Loading branch information...
Showing with 62 additions and 9 deletions.
|@@ -0,0 +1,8 @@|
|CFMv0 unknown (255), MD Level 0, length 65556|
|First TLV offset 0|
|0x0000: ff00 0001 0004 0104 9a00 000c fb|
|Unknown TLV (0xff), length 0|
|Sender ID TLV (0x01), length 4|
|Chassis-ID Type MAC address (4), Chassis-ID length 1 (invalid MAC address length)|
|Management Address Domain Length 0|
|End TLV (0x00)|
BIN +94 Bytes tests/cfm_sender_id-oobr.pcap
Binary file not shown.