-
Notifications
You must be signed in to change notification settings - Fork 832
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
CVE-2017-13052/CFM: refine decoding of the Sender ID TLV
In cfm_network_addr_print() add a length argument and use it to validate the input buffer. In cfm_print() add a length check for MAC address chassis ID. Supply cfm_network_addr_print() with the length of its buffer and a correct pointer to the buffer (it was off-by-one before). Change some error handling blocks to skip to the next TLV in the current PDU rather than to stop decoding the PDU. Print the management domain and address contents, although in hex only so far. Add some comments to clarify the code flow and to tell exact sections in IEEE standard documents. Add new error messages and make some existing messages more specific. This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s).
- Loading branch information
1 parent
bd4e697
commit 5d340a5
Showing
4 changed files
with
62 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
CFMv0 unknown (255), MD Level 0, length 65556 | ||
First TLV offset 0 | ||
0x0000: ff00 0001 0004 0104 9a00 000c fb | ||
Unknown TLV (0xff), length 0 | ||
Sender ID TLV (0x01), length 4 | ||
Chassis-ID Type MAC address (4), Chassis-ID length 1 (invalid MAC address length) | ||
Management Address Domain Length 0 | ||
End TLV (0x00) |
Binary file not shown.