Skip to content
Permalink
Browse files

CVE-2017-13038/PPP: Do bounds checking.

This fixes a buffer over-read discovered by Brian 'geeknik' Carpenter.

Add a test using the capture file supplied by Katie Holly.
  • Loading branch information...
guyharris authored and infrastation committed Jun 12, 2017
1 parent 3cb7c9a commit 7335163a6ef82d46ff18f3e6099a157747241629
Showing with 13 additions and 0 deletions.
  1. +9 −0 print-ppp.c
  2. +3 −0 tests/TESTLIST
  3. +1 −0 tests/mlppp-oobr.out
  4. BIN tests/mlppp-oobr.pcap
@@ -811,6 +811,15 @@ handle_mlppp(netdissect_options *ndo,
if (!ndo->ndo_eflag)
ND_PRINT((ndo, "MLPPP, "));

if (length < 2) {
ND_PRINT((ndo, "[|mlppp]"));
return;
}
if (!ND_TTEST_16BITS(p)) {
ND_PRINT((ndo, "[|mlppp]"));
return;
}

ND_PRINT((ndo, "seq 0x%03x, Flags [%s], length %u",
(EXTRACT_16BITS(p))&0x0fff, /* only support 12-Bit sequence space for now */
bittok2str(ppp_ml_flag_values, "none", *p & 0xc0),
@@ -554,6 +554,9 @@ radius_attr_asan radius_attr_asan.pcap radius_attr_asan.out -v
ospf6_decode_v3_asan ospf6_decode_v3_asan.pcap ospf6_decode_v3_asan.out -v
ip_ts_opts_asan ip_ts_opts_asan.pcap ip_ts_opts_asan.out -v

# bad packets from Katie Holly
mlppp-oobr mlppp-oobr.pcap mlppp-oobr.out

# RTP tests
# fuzzed pcap
rtp-seg-fault-1 rtp-seg-fault-1.pcap rtp-seg-fault-1.out -v -T rtp
@@ -0,0 +1 @@
MLPPP, [|mlppp]
BIN +88 Bytes tests/mlppp-oobr.pcap
Binary file not shown.

0 comments on commit 7335163

Please sign in to comment.
You can’t perform that action at this time.