Skip to content

Commit 7335163

Browse files
guyharrisinfrastation
authored andcommitted
CVE-2017-13038/PPP: Do bounds checking.
This fixes a buffer over-read discovered by Brian 'geeknik' Carpenter. Add a test using the capture file supplied by Katie Holly.
1 parent 3cb7c9a commit 7335163

File tree

4 files changed

+13
-0
lines changed

4 files changed

+13
-0
lines changed

Diff for: print-ppp.c

+9
Original file line numberDiff line numberDiff line change
@@ -811,6 +811,15 @@ handle_mlppp(netdissect_options *ndo,
811811
if (!ndo->ndo_eflag)
812812
ND_PRINT((ndo, "MLPPP, "));
813813

814+
if (length < 2) {
815+
ND_PRINT((ndo, "[|mlppp]"));
816+
return;
817+
}
818+
if (!ND_TTEST_16BITS(p)) {
819+
ND_PRINT((ndo, "[|mlppp]"));
820+
return;
821+
}
822+
814823
ND_PRINT((ndo, "seq 0x%03x, Flags [%s], length %u",
815824
(EXTRACT_16BITS(p))&0x0fff, /* only support 12-Bit sequence space for now */
816825
bittok2str(ppp_ml_flag_values, "none", *p & 0xc0),

Diff for: tests/TESTLIST

+3
Original file line numberDiff line numberDiff line change
@@ -554,6 +554,9 @@ radius_attr_asan radius_attr_asan.pcap radius_attr_asan.out -v
554554
ospf6_decode_v3_asan ospf6_decode_v3_asan.pcap ospf6_decode_v3_asan.out -v
555555
ip_ts_opts_asan ip_ts_opts_asan.pcap ip_ts_opts_asan.out -v
556556

557+
# bad packets from Katie Holly
558+
mlppp-oobr mlppp-oobr.pcap mlppp-oobr.out
559+
557560
# RTP tests
558561
# fuzzed pcap
559562
rtp-seg-fault-1 rtp-seg-fault-1.pcap rtp-seg-fault-1.out -v -T rtp

Diff for: tests/mlppp-oobr.out

+1
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
MLPPP, [|mlppp]

Diff for: tests/mlppp-oobr.pcap

88 Bytes
Binary file not shown.

0 commit comments

Comments
 (0)