Skip to content

Commit 7ac73d6

Browse files
guyharrisinfrastation
authored andcommitted
CVE-2017-12986/IPv6 R.H.: Update to reflect the actual IPv6 RFC.
In RFC 1883, the Type 0 routing header had a 1-byte reserved field and a 3-byte strict/loose bit map; in RFC 2460, that changed to a 4-byte reserved field. This fixes a buffer over-read discovered by Brian 'geeknik' Carpenter (by making an ND_TCHECK() call check for the presence in the captured data of all 4 bytes of the reserved field; we were printing it as a 4-byte field, so we needed to check for them). Add a test using the capture file supplied by the reporter(s).
1 parent 3c4d7c0 commit 7ac73d6

File tree

4 files changed

+4
-3
lines changed

4 files changed

+4
-3
lines changed

Diff for: ip6.h

+2-3
Original file line numberDiff line numberDiff line change
@@ -181,9 +181,8 @@ struct ip6_rthdr0 {
181181
uint8_t ip6r0_nxt; /* next header */
182182
uint8_t ip6r0_len; /* length in units of 8 octets */
183183
uint8_t ip6r0_type; /* always zero */
184-
uint8_t ip6r0_segleft; /* segments left */
185-
uint8_t ip6r0_reserved; /* reserved field */
186-
uint8_t ip6r0_slmap[3]; /* strict/loose bit map */
184+
uint8_t ip6r0_segleft; /* segments left */
185+
uint32_t ip6r0_reserved; /* reserved field */
187186
struct in6_addr ip6r0_addr[1]; /* up to 23 addresses */
188187
} UNALIGNED;
189188

Diff for: tests/TESTLIST

+1
Original file line numberDiff line numberDiff line change
@@ -434,6 +434,7 @@ q933-heapoverflow-2 q933-heapoverflow-2.pcap q933-heapoverflow-2.out
434434
atm-heapoverflow atm-heapoverflow.pcap atm-heapoverflow.out -c1 -e
435435
ipv6-next-header-oobr-1 ipv6-next-header-oobr-1.pcap ipv6-next-header-oobr-1.out
436436
ipv6-next-header-oobr-2 ipv6-next-header-oobr-2.pcap ipv6-next-header-oobr-2.out
437+
ipv6-rthdr-oobr ipv6-rthdr-oobr.pcap ipv6-rthdr-oobr.out
437438

438439
# bad packets from Kamil Frankowicz
439440
snmp-heapoverflow-1 snmp-heapoverflow-1.pcap snmp-heapoverflow-1.out

Diff for: tests/ipv6-rthdr-oobr.out

+1
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
IP6 3030:3030:3030:3030:3030:3030:3030:3030 > 3030:3030:3030:3030:3030:3030:3030:3030: srcrt (len=48, type=0, segleft=48[|srcrt]

Diff for: tests/ipv6-rthdr-oobr.pcap

88 Bytes
Binary file not shown.

0 commit comments

Comments
 (0)