Skip to content

Commit 67c7126

Browse files
guyharrisinfrastation
authored andcommitted
CVE-2017-13021/ICMP6: Add a missing bounds check.
This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s), modified so the capture file won't be rejected as an invalid capture.
1 parent c5dd7be commit 67c7126

File tree

4 files changed

+4
-0
lines changed

4 files changed

+4
-0
lines changed

Diff for: print-icmp6.c

+1
Original file line numberDiff line numberDiff line change
@@ -1131,6 +1131,7 @@ icmp6_print(netdissect_options *ndo,
11311131
if (ndo->ndo_vflag) {
11321132
ND_TCHECK(dp->icmp6_data16[0]);
11331133
ND_PRINT((ndo,", id 0x%04x", EXTRACT_16BITS(&dp->icmp6_data16[0])));
1134+
ND_TCHECK(dp->icmp6_data16[1]);
11341135
if (dp->icmp6_data16[1] & 0xc0)
11351136
ND_PRINT((ndo," "));
11361137
if (dp->icmp6_data16[1] & 0x80)

Diff for: tests/TESTLIST

+1
Original file line numberDiff line numberDiff line change
@@ -522,6 +522,7 @@ dhcp6_reconf_asan dhcp6_reconf_asan.pcap dhcp6_reconf_asan.out -v
522522
pgm_opts_asan pgm_opts_asan.pcap pgm_opts_asan.out -v
523523
pgm_opts_asan_2 pgm_opts_asan_2.pcap pgm_opts_asan_2.out -v
524524
vtp_asan vtp_asan.pcap vtp_asan.out -v
525+
icmp6_mobileprefix_asan icmp6_mobileprefix_asan.pcap icmp6_mobileprefix_asan.out -v
525526

526527
# RTP tests
527528
# fuzzed pcap

Diff for: tests/icmp6_mobileprefix_asan.out

+2
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
IP6 (class 0x50, flowlabel 0x0002c, hlim 0, next-header ICMPv6 (58) payload length: 7168) 4f:f829:c:1a1a:1a1a:1a1a:1a37:0 > 16:0:400:0:64fb:9303:f293:8200: ICMP6, mobile router advertisement, length 7168, id 0x9393[|icmp6]
2+
[|ether]

Diff for: tests/icmp6_mobileprefix_asan.pcap

116 Bytes
Binary file not shown.

0 commit comments

Comments
 (0)