Skip to content

Commit 7d3aba9

Browse files
fxlbinfrastation
authored andcommitted
CVE-2017-13024/IPv6 mobility: Add a bounds check before fetching data
This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s), modified so the capture file won't cause 'tcpdump: pcap_loop: truncated dump file'
1 parent b8e559a commit 7d3aba9

File tree

4 files changed

+4
-0
lines changed

4 files changed

+4
-0
lines changed

Diff for: print-mobility.c

+2
Original file line numberDiff line numberDiff line change
@@ -166,6 +166,8 @@ mobility_opt_print(netdissect_options *ndo,
166166
ND_PRINT((ndo, "(ni: trunc)"));
167167
goto trunc;
168168
}
169+
ND_TCHECK_16BITS(&bp[i+2]);
170+
ND_TCHECK_16BITS(&bp[i+4]);
169171
ND_PRINT((ndo, "(ni: ho=0x%04x co=0x%04x)",
170172
EXTRACT_16BITS(&bp[i+2]),
171173
EXTRACT_16BITS(&bp[i+4])));

Diff for: tests/TESTLIST

+1
Original file line numberDiff line numberDiff line change
@@ -525,6 +525,7 @@ vtp_asan vtp_asan.pcap vtp_asan.out -v
525525
icmp6_mobileprefix_asan icmp6_mobileprefix_asan.pcap icmp6_mobileprefix_asan.out -v
526526
ip_printroute_asan ip_printroute_asan.pcap ip_printroute_asan.out -v
527527
mobility_opt_asan mobility_opt_asan.pcap mobility_opt_asan.out -v
528+
mobility_opt_asan_2 mobility_opt_asan_2.pcap mobility_opt_asan_2.out -v
528529

529530
# RTP tests
530531
# fuzzed pcap

Diff for: tests/mobility_opt_asan_2.out

+1
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
IP6 (class 0x50, flowlabel 0x0002c, hlim 0, next-header Mobile IP (old) (62) payload length: 7168) ff:7f0f:40:0:ee00:0:b658:5203 > 205:20:1:b00:0:2200:af01:e000: mobility: BRR(type-0x06: len=0)[|MOBILITY]

Diff for: tests/mobility_opt_asan_2.pcap

143 Bytes
Binary file not shown.

0 commit comments

Comments
 (0)