Skip to content
Permalink
Browse files

CVE-2017-12996/PIMv2: Make sure PIM TLVs have the right length.

We do bounds checks based on the TLV length, so if the TLV's length is
too short, and we don't check for that, we could end up fetching data
past the end of the TLV - including past the length of the captured data
in the packet.

This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.

Add tests using the capture files supplied by the reporter(s).
  • Loading branch information...
guyharris authored and infrastation committed Feb 13, 2017
1 parent 34cec72 commit 6fca58f5f9c96749a575f52e20598ad43f5bdf30
@@ -730,7 +730,11 @@ pimv2_print(netdissect_options *ndo,

switch (otype) {
case PIMV2_HELLO_OPTION_HOLDTIME:
unsigned_relts_print(ndo, EXTRACT_16BITS(bp));
if (olen != 2) {
ND_PRINT((ndo, "ERROR: Option Length != 2 Bytes (%u)", olen));
} else {
unsigned_relts_print(ndo, EXTRACT_16BITS(bp));
}
break;

case PIMV2_HELLO_OPTION_LANPRUNEDELAY:
@@ -764,17 +768,25 @@ pimv2_print(netdissect_options *ndo,
break;

case PIMV2_HELLO_OPTION_GENID:
ND_PRINT((ndo, "0x%08x", EXTRACT_32BITS(bp)));
if (olen != 4) {
ND_PRINT((ndo, "ERROR: Option Length != 4 Bytes (%u)", olen));
} else {
ND_PRINT((ndo, "0x%08x", EXTRACT_32BITS(bp)));
}
break;

case PIMV2_HELLO_OPTION_REFRESH_CAP:
ND_PRINT((ndo, "v%d", *bp));
if (*(bp+1) != 0) {
ND_PRINT((ndo, ", interval "));
unsigned_relts_print(ndo, *(bp+1));
}
if (EXTRACT_16BITS(bp+2) != 0) {
ND_PRINT((ndo, " ?0x%04x?", EXTRACT_16BITS(bp+2)));
if (olen != 4) {
ND_PRINT((ndo, "ERROR: Option Length != 4 Bytes (%u)", olen));
} else {
ND_PRINT((ndo, "v%d", *bp));
if (*(bp+1) != 0) {
ND_PRINT((ndo, ", interval "));
unsigned_relts_print(ndo, *(bp+1));
}
if (EXTRACT_16BITS(bp+2) != 0) {
ND_PRINT((ndo, " ?0x%04x?", EXTRACT_16BITS(bp+2)));
}
}
break;

@@ -481,6 +481,10 @@ isis-areaaddr-oobr-2 isis-areaaddr-oobr-2.pcap isis-areaaddr-oobr-2.out -vvv -e
isis-extd-ipreach-oobr isis-extd-ipreach-oobr.pcap isis-extd-ipreach-oobr.out -vvv -e
lldp-infinite-loop-1 lldp-infinite-loop-1.pcap lldp-infinite-loop-1.out -vvv -e
lldp-infinite-loop-2 lldp-infinite-loop-2.pcap lldp-infinite-loop-2.out -vvv -e
pimv2-oobr-1 pimv2-oobr-1.pcap pimv2-oobr-1.out -vvv -e
pimv2-oobr-2 pimv2-oobr-2.pcap pimv2-oobr-2.out -vvv -e
pimv2-oobr-3 pimv2-oobr-3.pcap pimv2-oobr-3.out -vvv -e
pimv2-oobr-4 pimv2-oobr-4.pcap pimv2-oobr-4.out -vvv -e

# RTP tests
# fuzzed pcap

Large diffs are not rendered by default.

Oops, something went wrong.
Binary file not shown.

Large diffs are not rendered by default.

Oops, something went wrong.
Binary file not shown.

Large diffs are not rendered by default.

Oops, something went wrong.
Binary file not shown.

Large diffs are not rendered by default.

Oops, something went wrong.
Binary file not shown.

0 comments on commit 6fca58f

Please sign in to comment.
You can’t perform that action at this time.