CVE-2017-13021/ICMP6: Add a missing bounds check.

This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s), modified so the capture file won't be rejected as an invalid capture.
the-tcpdump-group · Sep 13, 2017 · 67c7126 · 67c7126
1 parent c5dd7be
commit 67c7126
Show file tree

Hide file tree

Showing 4 changed files with 4 additions and 0 deletions.
diff --git a/print-icmp6.c b/print-icmp6.c
@@ -1131,6 +1131,7 @@ icmp6_print(netdissect_options *ndo,
 		if (ndo->ndo_vflag) {
 			ND_TCHECK(dp->icmp6_data16[0]);
 			ND_PRINT((ndo,", id 0x%04x", EXTRACT_16BITS(&dp->icmp6_data16[0])));
+			ND_TCHECK(dp->icmp6_data16[1]);
 			if (dp->icmp6_data16[1] & 0xc0)
 				ND_PRINT((ndo," "));
 			if (dp->icmp6_data16[1] & 0x80)

diff --git a/tests/TESTLIST b/tests/TESTLIST
@@ -522,6 +522,7 @@ dhcp6_reconf_asan	dhcp6_reconf_asan.pcap		dhcp6_reconf_asan.out	-v
 pgm_opts_asan		pgm_opts_asan.pcap		pgm_opts_asan.out	-v
 pgm_opts_asan_2		pgm_opts_asan_2.pcap		pgm_opts_asan_2.out	-v
 vtp_asan		vtp_asan.pcap			vtp_asan.out	-v
+icmp6_mobileprefix_asan	icmp6_mobileprefix_asan.pcap	icmp6_mobileprefix_asan.out	-v
 
 # RTP tests
 # fuzzed pcap

diff --git a/tests/icmp6_mobileprefix_asan.out b/tests/icmp6_mobileprefix_asan.out
@@ -0,0 +1,2 @@
+IP6 (class 0x50, flowlabel 0x0002c, hlim 0, next-header ICMPv6 (58) payload length: 7168) 4f:f829:c:1a1a:1a1a:1a1a:1a37:0 > 16:0:400:0:64fb:9303:f293:8200: ICMP6, mobile router advertisement, length 7168, id 0x9393[|icmp6]
+[|ether]
diff --git a/tests/icmp6_mobileprefix_asan.pcap b/tests/icmp6_mobileprefix_asan.pcap