Skip to content

Commit 5edf405

Browse files
guyharrisinfrastation
authored andcommitted
CVE-2017-13008/IEEE 802.11: Fix TIM bitmap copy to copy from p + offset.
offset has already been advanced to point to the bitmap; we shouldn't add the amount to advance again. This fixes a buffer over-read discovered by Brian 'geeknik' Carpenter. Add a test using the capture file supplied by the reporter(s). While we're at it, remove some redundant tests - we've already checked, before the case statement, whether we have captured the entire information element and whether the entire information element is present in the on-the-wire packet; in the cases for particular IEs, we only need to make sure we don't go past the end of the IE.
1 parent ca33619 commit 5edf405

File tree

4 files changed

+3
-13
lines changed

4 files changed

+3
-13
lines changed

Diff for: print-802_11.c

+1-13
Original file line numberDiff line numberDiff line change
@@ -1039,10 +1039,6 @@ parse_elements(netdissect_options *ndo,
10391039
if (ssid.length != 0) {
10401040
if (ssid.length > sizeof(ssid.ssid) - 1)
10411041
return 0;
1042-
if (!ND_TTEST2(*(p + offset), ssid.length))
1043-
return 0;
1044-
if (length < ssid.length)
1045-
return 0;
10461042
memcpy(&ssid.ssid, p + offset, ssid.length);
10471043
offset += ssid.length;
10481044
length -= ssid.length;
@@ -1068,10 +1064,6 @@ parse_elements(netdissect_options *ndo,
10681064
if (challenge.length >
10691065
sizeof(challenge.text) - 1)
10701066
return 0;
1071-
if (!ND_TTEST2(*(p + offset), challenge.length))
1072-
return 0;
1073-
if (length < challenge.length)
1074-
return 0;
10751067
memcpy(&challenge.text, p + offset,
10761068
challenge.length);
10771069
offset += challenge.length;
@@ -1097,10 +1089,6 @@ parse_elements(netdissect_options *ndo,
10971089
if (rates.length != 0) {
10981090
if (rates.length > sizeof rates.rate)
10991091
return 0;
1100-
if (!ND_TTEST2(*(p + offset), rates.length))
1101-
return 0;
1102-
if (length < rates.length)
1103-
return 0;
11041092
memcpy(&rates.rate, p + offset, rates.length);
11051093
offset += rates.length;
11061094
length -= rates.length;
@@ -1189,7 +1177,7 @@ parse_elements(netdissect_options *ndo,
11891177
offset += 3;
11901178
length -= 3;
11911179

1192-
memcpy(tim.bitmap, p + offset + 3, tim.length - 3);
1180+
memcpy(tim.bitmap, p + offset, tim.length - 3);
11931181
offset += tim.length - 3;
11941182
length -= tim.length - 3;
11951183
/*

Diff for: tests/TESTLIST

+1
Original file line numberDiff line numberDiff line change
@@ -438,6 +438,7 @@ ipv6-rthdr-oobr ipv6-rthdr-oobr.pcap ipv6-rthdr-oobr.out
438438
ieee802.11_tim_ie_oobr ieee802.11_tim_ie_oobr.pcap ieee802.11_tim_ie_oobr.out
439439
decnet-shorthdr-oobr decnet-shorthdr-oobr.pcap decnet-shorthdr-oobr.out
440440
isakmp-3948-oobr-2 isakmp-3948-oobr-2.pcap isakmp-3948-oobr-2.out
441+
ieee802.11_rates_oobr ieee802.11_rates_oobr.pcap ieee802.11_rates_oobr.out
441442

442443
# bad packets from Kamil Frankowicz
443444
snmp-heapoverflow-1 snmp-heapoverflow-1.pcap snmp-heapoverflow-1.out

Diff for: tests/ieee802.11_rates_oobr.out

+1
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
fhset 48 fhpat 48 48dBm signal 48dB signal 48dB noise [|802.11]Beacon IBSS, PRIVACY[|802.11]

Diff for: tests/ieee802.11_rates_oobr.pcap

126 Bytes
Binary file not shown.

0 commit comments

Comments
 (0)