Skip to content
Permalink
Browse files

CVE-2017-13008/IEEE 802.11: Fix TIM bitmap copy to copy from p + offset.

offset has already been advanced to point to the bitmap; we shouldn't
add the amount to advance again.

This fixes a buffer over-read discovered by Brian 'geeknik' Carpenter.

Add a test using the capture file supplied by the reporter(s).

While we're at it, remove some redundant tests - we've already checked,
before the case statement, whether we have captured the entire
information element and whether the entire information element is
present in the on-the-wire packet; in the cases for particular IEs, we
only need to make sure we don't go past the end of the IE.
  • Loading branch information...
guyharris authored and infrastation committed Mar 6, 2017
1 parent ca33619 commit 5edf405d7ed9fc92f4f43e8a3d44baa4c6387562
Showing with 3 additions and 13 deletions.
  1. +1 −13 print-802_11.c
  2. +1 −0 tests/TESTLIST
  3. +1 −0 tests/ieee802.11_rates_oobr.out
  4. BIN tests/ieee802.11_rates_oobr.pcap
@@ -1039,10 +1039,6 @@ parse_elements(netdissect_options *ndo,
if (ssid.length != 0) {
if (ssid.length > sizeof(ssid.ssid) - 1)
return 0;
if (!ND_TTEST2(*(p + offset), ssid.length))
return 0;
if (length < ssid.length)
return 0;
memcpy(&ssid.ssid, p + offset, ssid.length);
offset += ssid.length;
length -= ssid.length;
@@ -1068,10 +1064,6 @@ parse_elements(netdissect_options *ndo,
if (challenge.length >
sizeof(challenge.text) - 1)
return 0;
if (!ND_TTEST2(*(p + offset), challenge.length))
return 0;
if (length < challenge.length)
return 0;
memcpy(&challenge.text, p + offset,
challenge.length);
offset += challenge.length;
@@ -1097,10 +1089,6 @@ parse_elements(netdissect_options *ndo,
if (rates.length != 0) {
if (rates.length > sizeof rates.rate)
return 0;
if (!ND_TTEST2(*(p + offset), rates.length))
return 0;
if (length < rates.length)
return 0;
memcpy(&rates.rate, p + offset, rates.length);
offset += rates.length;
length -= rates.length;
@@ -1189,7 +1177,7 @@ parse_elements(netdissect_options *ndo,
offset += 3;
length -= 3;

memcpy(tim.bitmap, p + offset + 3, tim.length - 3);
memcpy(tim.bitmap, p + offset, tim.length - 3);
offset += tim.length - 3;
length -= tim.length - 3;
/*
@@ -438,6 +438,7 @@ ipv6-rthdr-oobr ipv6-rthdr-oobr.pcap ipv6-rthdr-oobr.out
ieee802.11_tim_ie_oobr ieee802.11_tim_ie_oobr.pcap ieee802.11_tim_ie_oobr.out
decnet-shorthdr-oobr decnet-shorthdr-oobr.pcap decnet-shorthdr-oobr.out
isakmp-3948-oobr-2 isakmp-3948-oobr-2.pcap isakmp-3948-oobr-2.out
ieee802.11_rates_oobr ieee802.11_rates_oobr.pcap ieee802.11_rates_oobr.out

# bad packets from Kamil Frankowicz
snmp-heapoverflow-1 snmp-heapoverflow-1.pcap snmp-heapoverflow-1.out
@@ -0,0 +1 @@
fhset 48 fhpat 48 48dBm signal 48dB signal 48dB noise [|802.11]Beacon IBSS, PRIVACY[|802.11]
Binary file not shown.

0 comments on commit 5edf405

Please sign in to comment.
You can’t perform that action at this time.