Skip to content
Permalink
Browse files

CVE-2017-12893/SMB/CIFS: Add a bounds check in name_len().

After we advance the pointer by the length value in the buffer, make
sure it points to something in the captured data.

This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.

Add a test using the capture file supplied by the reporter(s).
  • Loading branch information...
guyharris authored and infrastation committed Feb 4, 2017
1 parent c6e0531 commit 6f5ba2b651cd9d4b7fa8ee5c4f94460645877c45
Showing with 20 additions and 0 deletions.
  1. +1 −0 smbutil.c
  2. +3 −0 tests/TESTLIST
  3. +16 −0 tests/nbns-valgrind.out
  4. BIN tests/nbns-valgrind.pcap
@@ -237,6 +237,7 @@ name_len(netdissect_options *ndo,
return(-1); /* name goes past the end of the buffer */
ND_TCHECK2(*s, 1);
s += (*s) + 1;
ND_TCHECK2(*s, 1);
}
return(PTR_DIFF(s, s0) + 1);

@@ -449,6 +449,9 @@ decnet-oobr decnet-oobr.pcap decnet-oobr.out
# bad packets from Wilfried Kirsch
slip-bad-direction slip-bad-direction.pcap slip-bad-direction.out -ve

# bad packets from Otto Airamo and Antti Levomäki
nbns-valgrind nbns-valgrind.pcap nbns-valgrind.out -vvv -e

# RTP tests
# fuzzed pcap
rtp-seg-fault-1 rtp-seg-fault-1.pcap rtp-seg-fault-1.out -v -T rtp
@@ -0,0 +1,16 @@
00:0c:85:0e:a5:ff > 00:00:0c:07:ac:f0, ethertype IPv4 (0x0800), length 92: (tos 0x0, ttl 127, id 38615, offset 0, flags [none], proto UDP (17), length 78)
10.49.248.228.137 > 10.48.161.241.137:
>>> NBT UDP PACKET(137): QUERY; REQUEST; UNICAST
TrnID=0x8D40
OpCode=0
NmFlags=0x10
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
Name=
WARNING: Short packet. Try increasing the snap length


BIN +108 Bytes tests/nbns-valgrind.pcap
Binary file not shown.

0 comments on commit 6f5ba2b

Please sign in to comment.
You can’t perform that action at this time.