Skip to content
Permalink
Browse files Browse the repository at this point in the history
CVE-2017-12986/IPv6 R.H.: Update to reflect the actual IPv6 RFC.
In RFC 1883, the Type 0 routing header had a 1-byte reserved field and a
3-byte strict/loose bit map; in RFC 2460, that changed to a 4-byte
reserved field.

This fixes a buffer over-read discovered by Brian 'geeknik' Carpenter (by
making an ND_TCHECK() call check for the presence in the captured data
of all 4 bytes of the reserved field; we were printing it as a 4-byte
field, so we needed to check for them).

Add a test using the capture file supplied by the reporter(s).
  • Loading branch information
guyharris authored and infrastation committed Sep 13, 2017
1 parent 3c4d7c0 commit 7ac73d6
Show file tree
Hide file tree
Showing 4 changed files with 4 additions and 3 deletions.
5 changes: 2 additions & 3 deletions ip6.h
Expand Up @@ -181,9 +181,8 @@ struct ip6_rthdr0 {
uint8_t ip6r0_nxt; /* next header */
uint8_t ip6r0_len; /* length in units of 8 octets */
uint8_t ip6r0_type; /* always zero */
uint8_t ip6r0_segleft; /* segments left */
uint8_t ip6r0_reserved; /* reserved field */
uint8_t ip6r0_slmap[3]; /* strict/loose bit map */
uint8_t ip6r0_segleft; /* segments left */
uint32_t ip6r0_reserved; /* reserved field */
struct in6_addr ip6r0_addr[1]; /* up to 23 addresses */
} UNALIGNED;

Expand Down
1 change: 1 addition & 0 deletions tests/TESTLIST
Expand Up @@ -434,6 +434,7 @@ q933-heapoverflow-2 q933-heapoverflow-2.pcap q933-heapoverflow-2.out
atm-heapoverflow atm-heapoverflow.pcap atm-heapoverflow.out -c1 -e
ipv6-next-header-oobr-1 ipv6-next-header-oobr-1.pcap ipv6-next-header-oobr-1.out
ipv6-next-header-oobr-2 ipv6-next-header-oobr-2.pcap ipv6-next-header-oobr-2.out
ipv6-rthdr-oobr ipv6-rthdr-oobr.pcap ipv6-rthdr-oobr.out

# bad packets from Kamil Frankowicz
snmp-heapoverflow-1 snmp-heapoverflow-1.pcap snmp-heapoverflow-1.out
Expand Down
1 change: 1 addition & 0 deletions tests/ipv6-rthdr-oobr.out
@@ -0,0 +1 @@
IP6 3030:3030:3030:3030:3030:3030:3030:3030 > 3030:3030:3030:3030:3030:3030:3030:3030: srcrt (len=48, type=0, segleft=48[|srcrt]
Binary file added tests/ipv6-rthdr-oobr.pcap
Binary file not shown.

0 comments on commit 7ac73d6

Please sign in to comment.