Skip to content
Permalink
Browse files Browse the repository at this point in the history
CVE-2017-13024/IPv6 mobility: Add a bounds check before fetching data
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't cause 'tcpdump: pcap_loop: truncated dump file'
  • Loading branch information
fxlb authored and infrastation committed Sep 13, 2017
1 parent b8e559a commit 7d3aba9
Show file tree
Hide file tree
Showing 4 changed files with 4 additions and 0 deletions.
2 changes: 2 additions & 0 deletions print-mobility.c
Expand Up @@ -166,6 +166,8 @@ mobility_opt_print(netdissect_options *ndo,
ND_PRINT((ndo, "(ni: trunc)"));
goto trunc;
}
ND_TCHECK_16BITS(&bp[i+2]);
ND_TCHECK_16BITS(&bp[i+4]);
ND_PRINT((ndo, "(ni: ho=0x%04x co=0x%04x)",
EXTRACT_16BITS(&bp[i+2]),
EXTRACT_16BITS(&bp[i+4])));
Expand Down
1 change: 1 addition & 0 deletions tests/TESTLIST
Expand Up @@ -525,6 +525,7 @@ vtp_asan vtp_asan.pcap vtp_asan.out -v
icmp6_mobileprefix_asan icmp6_mobileprefix_asan.pcap icmp6_mobileprefix_asan.out -v
ip_printroute_asan ip_printroute_asan.pcap ip_printroute_asan.out -v
mobility_opt_asan mobility_opt_asan.pcap mobility_opt_asan.out -v
mobility_opt_asan_2 mobility_opt_asan_2.pcap mobility_opt_asan_2.out -v

# RTP tests
# fuzzed pcap
Expand Down
1 change: 1 addition & 0 deletions tests/mobility_opt_asan_2.out
@@ -0,0 +1 @@
IP6 (class 0x50, flowlabel 0x0002c, hlim 0, next-header Mobile IP (old) (62) payload length: 7168) ff:7f0f:40:0:ee00:0:b658:5203 > 205:20:1:b00:0:2200:af01:e000: mobility: BRR(type-0x06: len=0)[|MOBILITY]
Binary file added tests/mobility_opt_asan_2.pcap
Binary file not shown.

0 comments on commit 7d3aba9

Please sign in to comment.