CVE-2017-12996/PIMv2: Make sure PIM TLVs have the right length.

We do bounds checks based on the TLV length, so if the TLV's length is too short, and we don't check for that, we could end up fetching data past the end of the TLV - including past the length of the captured data in the packet. This fixes a buffer over-read discovered by Forcepoint's security researchers Otto Airamo & Antti Levomäki. Add tests using the capture files supplied by the reporter(s).
the-tcpdump-group · Sep 13, 2017 · 6fca58f · 6fca58f
1 parent 34cec72
commit 6fca58f
Show file tree

Hide file tree

Showing 10 changed files with 51,570 additions and 9 deletions.
diff --git a/print-pim.c b/print-pim.c
@@ -730,7 +730,11 @@ pimv2_print(netdissect_options *ndo,
 
 			switch (otype) {
 			case PIMV2_HELLO_OPTION_HOLDTIME:
-				unsigned_relts_print(ndo, EXTRACT_16BITS(bp));
+				if (olen != 2) {
+					ND_PRINT((ndo, "ERROR: Option Length != 2 Bytes (%u)", olen));
+				} else {
+					unsigned_relts_print(ndo, EXTRACT_16BITS(bp));
+				}
 				break;
 
 			case PIMV2_HELLO_OPTION_LANPRUNEDELAY:
@@ -764,17 +768,25 @@ pimv2_print(netdissect_options *ndo,
 				break;
 
 			case PIMV2_HELLO_OPTION_GENID:
-				ND_PRINT((ndo, "0x%08x", EXTRACT_32BITS(bp)));
+				if (olen != 4) {
+					ND_PRINT((ndo, "ERROR: Option Length != 4 Bytes (%u)", olen));
+				} else {
+					ND_PRINT((ndo, "0x%08x", EXTRACT_32BITS(bp)));
+				}
 				break;
 
 			case PIMV2_HELLO_OPTION_REFRESH_CAP:
-				ND_PRINT((ndo, "v%d", *bp));
-				if (*(bp+1) != 0) {
-					ND_PRINT((ndo, ", interval "));
-					unsigned_relts_print(ndo, *(bp+1));
-				}
-				if (EXTRACT_16BITS(bp+2) != 0) {
-					ND_PRINT((ndo, " ?0x%04x?", EXTRACT_16BITS(bp+2)));
+				if (olen != 4) {
+					ND_PRINT((ndo, "ERROR: Option Length != 4 Bytes (%u)", olen));
+				} else {
+					ND_PRINT((ndo, "v%d", *bp));
+					if (*(bp+1) != 0) {
+						ND_PRINT((ndo, ", interval "));
+						unsigned_relts_print(ndo, *(bp+1));
+					}
+					if (EXTRACT_16BITS(bp+2) != 0) {
+						ND_PRINT((ndo, " ?0x%04x?", EXTRACT_16BITS(bp+2)));
+					}
 				}
 				break;
 

diff --git a/tests/TESTLIST b/tests/TESTLIST
@@ -481,6 +481,10 @@ isis-areaaddr-oobr-2	isis-areaaddr-oobr-2.pcap	isis-areaaddr-oobr-2.out		-vvv -e
 isis-extd-ipreach-oobr	isis-extd-ipreach-oobr.pcap	isis-extd-ipreach-oobr.out		-vvv -e
 lldp-infinite-loop-1	lldp-infinite-loop-1.pcap	lldp-infinite-loop-1.out		-vvv -e
 lldp-infinite-loop-2	lldp-infinite-loop-2.pcap	lldp-infinite-loop-2.out		-vvv -e
+pimv2-oobr-1		pimv2-oobr-1.pcap		pimv2-oobr-1.out		-vvv -e
+pimv2-oobr-2		pimv2-oobr-2.pcap		pimv2-oobr-2.out		-vvv -e
+pimv2-oobr-3		pimv2-oobr-3.pcap		pimv2-oobr-3.out		-vvv -e
+pimv2-oobr-4		pimv2-oobr-4.pcap		pimv2-oobr-4.out		-vvv -e
 
 # RTP tests
 # fuzzed pcap

diff --git a/tests/pimv2-oobr-1.out b/tests/pimv2-oobr-1.out
diff --git a/tests/pimv2-oobr-1.pcap b/tests/pimv2-oobr-1.pcap
diff --git a/tests/pimv2-oobr-2.out b/tests/pimv2-oobr-2.out
diff --git a/tests/pimv2-oobr-2.pcap b/tests/pimv2-oobr-2.pcap
diff --git a/tests/pimv2-oobr-3.out b/tests/pimv2-oobr-3.out
diff --git a/tests/pimv2-oobr-3.pcap b/tests/pimv2-oobr-3.pcap
diff --git a/tests/pimv2-oobr-4.out b/tests/pimv2-oobr-4.out
diff --git a/tests/pimv2-oobr-4.pcap b/tests/pimv2-oobr-4.pcap