Skip to content
Permalink
Browse files Browse the repository at this point in the history
CVE-2017-12893/SMB/CIFS: Add a bounds check in name_len().
After we advance the pointer by the length value in the buffer, make
sure it points to something in the captured data.

This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.

Add a test using the capture file supplied by the reporter(s).
  • Loading branch information
guyharris authored and infrastation committed Sep 13, 2017
1 parent c6e0531 commit 6f5ba2b
Show file tree
Hide file tree
Showing 4 changed files with 20 additions and 0 deletions.
1 change: 1 addition & 0 deletions smbutil.c
Expand Up @@ -237,6 +237,7 @@ name_len(netdissect_options *ndo,
return(-1); /* name goes past the end of the buffer */
ND_TCHECK2(*s, 1);
s += (*s) + 1;
ND_TCHECK2(*s, 1);
}
return(PTR_DIFF(s, s0) + 1);

Expand Down
3 changes: 3 additions & 0 deletions tests/TESTLIST
Expand Up @@ -449,6 +449,9 @@ decnet-oobr decnet-oobr.pcap decnet-oobr.out
# bad packets from Wilfried Kirsch
slip-bad-direction slip-bad-direction.pcap slip-bad-direction.out -ve

# bad packets from Otto Airamo and Antti Levomäki
nbns-valgrind nbns-valgrind.pcap nbns-valgrind.out -vvv -e

# RTP tests
# fuzzed pcap
rtp-seg-fault-1 rtp-seg-fault-1.pcap rtp-seg-fault-1.out -v -T rtp
Expand Down
16 changes: 16 additions & 0 deletions tests/nbns-valgrind.out
@@ -0,0 +1,16 @@
00:0c:85:0e:a5:ff > 00:00:0c:07:ac:f0, ethertype IPv4 (0x0800), length 92: (tos 0x0, ttl 127, id 38615, offset 0, flags [none], proto UDP (17), length 78)
10.49.248.228.137 > 10.48.161.241.137:
>>> NBT UDP PACKET(137): QUERY; REQUEST; UNICAST
TrnID=0x8D40
OpCode=0
NmFlags=0x10
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
Name=
WARNING: Short packet. Try increasing the snap length


Binary file added tests/nbns-valgrind.pcap
Binary file not shown.

0 comments on commit 6f5ba2b

Please sign in to comment.