Skip to content

Commit 6f5ba2b

Browse files
guyharrisinfrastation
authored andcommitted
CVE-2017-12893/SMB/CIFS: Add a bounds check in name_len().
After we advance the pointer by the length value in the buffer, make sure it points to something in the captured data. This fixes a buffer over-read discovered by Forcepoint's security researchers Otto Airamo & Antti Levomäki. Add a test using the capture file supplied by the reporter(s).
1 parent c6e0531 commit 6f5ba2b

File tree

4 files changed

+20
-0
lines changed

4 files changed

+20
-0
lines changed

Diff for: smbutil.c

+1
Original file line numberDiff line numberDiff line change
@@ -237,6 +237,7 @@ name_len(netdissect_options *ndo,
237237
return(-1); /* name goes past the end of the buffer */
238238
ND_TCHECK2(*s, 1);
239239
s += (*s) + 1;
240+
ND_TCHECK2(*s, 1);
240241
}
241242
return(PTR_DIFF(s, s0) + 1);
242243

Diff for: tests/TESTLIST

+3
Original file line numberDiff line numberDiff line change
@@ -449,6 +449,9 @@ decnet-oobr decnet-oobr.pcap decnet-oobr.out
449449
# bad packets from Wilfried Kirsch
450450
slip-bad-direction slip-bad-direction.pcap slip-bad-direction.out -ve
451451

452+
# bad packets from Otto Airamo and Antti Levomäki
453+
nbns-valgrind nbns-valgrind.pcap nbns-valgrind.out -vvv -e
454+
452455
# RTP tests
453456
# fuzzed pcap
454457
rtp-seg-fault-1 rtp-seg-fault-1.pcap rtp-seg-fault-1.out -v -T rtp

Diff for: tests/nbns-valgrind.out

+16
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
00:0c:85:0e:a5:ff > 00:00:0c:07:ac:f0, ethertype IPv4 (0x0800), length 92: (tos 0x0, ttl 127, id 38615, offset 0, flags [none], proto UDP (17), length 78)
2+
10.49.248.228.137 > 10.48.161.241.137:
3+
>>> NBT UDP PACKET(137): QUERY; REQUEST; UNICAST
4+
TrnID=0x8D40
5+
OpCode=0
6+
NmFlags=0x10
7+
Rcode=0
8+
QueryCount=1
9+
AnswerCount=0
10+
AuthorityCount=0
11+
AddressRecCount=0
12+
QuestionRecords:
13+
Name=
14+
WARNING: Short packet. Try increasing the snap length
15+
16+

Diff for: tests/nbns-valgrind.pcap

108 Bytes
Binary file not shown.

0 commit comments

Comments
 (0)