Skip to content

Commit 83a412a

Browse files
infrastationfxlb
authored andcommitted
(for 4.9.3) CVE-2018-16228/HNCP: make buffer access safer
print_prefix() has a buffer and does not initialize it. It may call decode_prefix6(), which also does not initialize the buffer on invalid input. When that happens, make sure to return from print_prefix() before trying to print the [still uninitialized] buffer. This fixes a buffer over-read discovered by Wang Junjie of 360 ESG Codesafe Team. Add a test using the capture file supplied by the reporter(s).
1 parent 13d52e9 commit 83a412a

File tree

4 files changed

+51
-0
lines changed

4 files changed

+51
-0
lines changed

Diff for: print-hncp.c

+2
Original file line numberDiff line numberDiff line change
@@ -229,6 +229,8 @@ print_prefix(netdissect_options *ndo, const u_char *prefix, u_int max_length)
229229
plenbytes += 1 + IPV4_MAPPED_HEADING_LEN;
230230
} else {
231231
plenbytes = decode_prefix6(ndo, prefix, max_length, buf, sizeof(buf));
232+
if (plenbytes < 0)
233+
return plenbytes;
232234
}
233235

234236
ND_PRINT((ndo, "%s", buf));

Diff for: tests/TESTLIST

+1
Original file line numberDiff line numberDiff line change
@@ -600,6 +600,7 @@ babel_update_oobr babel_update_oobr.pcap babel_update_oobr.out -c 52
600600
# bad packets from Junjie Wang
601601
ospf6_print_lshdr-oobr ospf6_print_lshdr-oobr.pcapng ospf6_print_lshdr-oobr.out -vv -c15
602602
rpl-dao-oobr rpl-dao-oobr.pcapng rpl-dao-oobr.out -vv -c1
603+
hncp_prefix-oobr hncp_prefix-oobr.pcapng hncp_prefix-oobr.out -vvv
603604

604605
# RTP tests
605606
# fuzzed pcap

Diff for: tests/hncp_prefix-oobr.out

+48
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,48 @@
1+
IP6 (class 0xc0, hlim 1, next-header UDP (17) payload length: 436) fe80::b299:28ff:ffc8:d646.6696 > ff02::59:0:0:1:6.6696: [bad udp cksum 0x2997 -> 0xbbd2!] babel 2 (424)
2+
Hello seqno 58134 interval 4.00s sub-unknown-0x08 sub-pad1 sub-pad1 sub-unknown-0x04 sub-unknown-0x30 sub-diversity 2-2 (bogus) sub-diversity 2-2 (bogus) sub-diversity 2-48 (bogus) (invalid)
3+
Unknown message type 48
4+
Unknown message type 223
5+
Pad 1
6+
Unknown message type 51
7+
Pad 1
8+
Pad 1
9+
Pad 1
10+
HMAC (invalid)
11+
IP6 (hlim 57, next-header UDP (17) payload length: 332) fe80::218:f3ff:ffa9:914e.8231 > fe80::21e:64ff:fe23:4d34.8231: [bad udp cksum 0xbd4b -> 0x0e98!] hncp (324)
12+
Node endpoint (12) NID: 31:da:78:d2 EPID: 03000000
13+
Node state (312) NID: 31:da:78:d2 seqno: 19 160.105s hash: 800088c8e0714638
14+
Peer (16) Peer-NID: 61:69:ed:63 Peer-EPID: 01000000 Local-EPID: 01000000
15+
HNCP-Version (22) M: 0 P: 4 H: 4 L: 4 User-agent: hnetd/cac971d
16+
External-Connection (52)
17+
Reserved: type=0 (4)
18+
Reserved: type=0 (4)
19+
Reserved: type=0 (4)
20+
Reserved: type=0 (4)
21+
Reserved: type=0 (4)
22+
Reserved: type=0 (4)
23+
Reserved: type=0 (4)
24+
Reserved: type=0 (4)
25+
Reserved: type=0 (4)
26+
Reserved: type=0 (4)
27+
Reserved: type=0 (4)
28+
Unassigned: type=510 (4)
29+
Assigned-Prefix (18) EPID: 03000000 Prty: 2 Prefix: fd1f:f88c:e200::/44
30+
(invalid)
31+
Assigned-Prefix (25) EPID: 01000001 Prty: 0 Prefix: ::/0
32+
Reserved: type=0 (4)
33+
Reserved: type=0 (4)
34+
[|hncp]
35+
Assigned-Prefix (25) EPID: 03000000 Prty: 2 Prefix: 10.0.101.0/24
36+
Node-Address (24) EPID: 01000000 IP Address: ::2100:0:ffff:a00:6302
37+
Node-Address (24) EPID: 01000000 IP Address: fd1f:f88c:e207::f3ff
38+
[|hncp]
39+
IP6 (hlim 64, next-header UDP (17) payload length: 564) fe80::218:f3ff:fea9:914e.8231 > fe80::21e:64ff:fe23:4d34.8231: [bad udp cksum 0xe65a -> 0x7725!] hncp (556)
40+
Node endpoint (12) NID: 31:10:00:00 EPID: 00000000
41+
Node state (544) NID: 61:69:ed:63 seqno: 12 969.699s hash: 011fffa1da966148
42+
Peer (16) Peer-NID: 31:da:78:d2 Peer-EPID: 01000000 Local-EPID: 01000000
43+
Future use: type=64031 (22)
44+
External-Connection (23)
45+
Delegated-Prefix (19) VLSO: 0.599s PLSO: 0.299s Prefix: fd1f:f88c:e207::/48
46+
Assigned-Prefix (143) EPID: 8b8b8b8b Prty: 11 Prefix: (invalid)
47+
Private use: type=768 (4)
48+
[|hncp]

Diff for: tests/hncp_prefix-oobr.pcapng

1.53 KB
Binary file not shown.

0 commit comments

Comments
 (0)