Skip to content
Permalink
Browse files Browse the repository at this point in the history
(for 4.9.3) CVE-2018-16228/HNCP: make buffer access safer
print_prefix() has a buffer and does not initialize it. It may call
decode_prefix6(), which also does not initialize the buffer on invalid
input. When that happens, make sure to return from print_prefix() before
trying to print the [still uninitialized] buffer.

This fixes a buffer over-read discovered by Wang Junjie of 360 ESG
Codesafe Team.

Add a test using the capture file supplied by the reporter(s).
  • Loading branch information
infrastation authored and fxlb committed Aug 27, 2019
1 parent 13d52e9 commit 83a412a
Show file tree
Hide file tree
Showing 4 changed files with 51 additions and 0 deletions.
2 changes: 2 additions & 0 deletions print-hncp.c
Expand Up @@ -229,6 +229,8 @@ print_prefix(netdissect_options *ndo, const u_char *prefix, u_int max_length)
plenbytes += 1 + IPV4_MAPPED_HEADING_LEN;
} else {
plenbytes = decode_prefix6(ndo, prefix, max_length, buf, sizeof(buf));
if (plenbytes < 0)
return plenbytes;
}

ND_PRINT((ndo, "%s", buf));
Expand Down
1 change: 1 addition & 0 deletions tests/TESTLIST
Expand Up @@ -600,6 +600,7 @@ babel_update_oobr babel_update_oobr.pcap babel_update_oobr.out -c 52
# bad packets from Junjie Wang
ospf6_print_lshdr-oobr ospf6_print_lshdr-oobr.pcapng ospf6_print_lshdr-oobr.out -vv -c15
rpl-dao-oobr rpl-dao-oobr.pcapng rpl-dao-oobr.out -vv -c1
hncp_prefix-oobr hncp_prefix-oobr.pcapng hncp_prefix-oobr.out -vvv

# RTP tests
# fuzzed pcap
Expand Down
48 changes: 48 additions & 0 deletions tests/hncp_prefix-oobr.out
@@ -0,0 +1,48 @@
IP6 (class 0xc0, hlim 1, next-header UDP (17) payload length: 436) fe80::b299:28ff:ffc8:d646.6696 > ff02::59:0:0:1:6.6696: [bad udp cksum 0x2997 -> 0xbbd2!] babel 2 (424)
Hello seqno 58134 interval 4.00s sub-unknown-0x08 sub-pad1 sub-pad1 sub-unknown-0x04 sub-unknown-0x30 sub-diversity 2-2 (bogus) sub-diversity 2-2 (bogus) sub-diversity 2-48 (bogus) (invalid)
Unknown message type 48
Unknown message type 223
Pad 1
Unknown message type 51
Pad 1
Pad 1
Pad 1
HMAC (invalid)
IP6 (hlim 57, next-header UDP (17) payload length: 332) fe80::218:f3ff:ffa9:914e.8231 > fe80::21e:64ff:fe23:4d34.8231: [bad udp cksum 0xbd4b -> 0x0e98!] hncp (324)
Node endpoint (12) NID: 31:da:78:d2 EPID: 03000000
Node state (312) NID: 31:da:78:d2 seqno: 19 160.105s hash: 800088c8e0714638
Peer (16) Peer-NID: 61:69:ed:63 Peer-EPID: 01000000 Local-EPID: 01000000
HNCP-Version (22) M: 0 P: 4 H: 4 L: 4 User-agent: hnetd/cac971d
External-Connection (52)
Reserved: type=0 (4)
Reserved: type=0 (4)
Reserved: type=0 (4)
Reserved: type=0 (4)
Reserved: type=0 (4)
Reserved: type=0 (4)
Reserved: type=0 (4)
Reserved: type=0 (4)
Reserved: type=0 (4)
Reserved: type=0 (4)
Reserved: type=0 (4)
Unassigned: type=510 (4)
Assigned-Prefix (18) EPID: 03000000 Prty: 2 Prefix: fd1f:f88c:e200::/44
(invalid)
Assigned-Prefix (25) EPID: 01000001 Prty: 0 Prefix: ::/0
Reserved: type=0 (4)
Reserved: type=0 (4)
[|hncp]
Assigned-Prefix (25) EPID: 03000000 Prty: 2 Prefix: 10.0.101.0/24
Node-Address (24) EPID: 01000000 IP Address: ::2100:0:ffff:a00:6302
Node-Address (24) EPID: 01000000 IP Address: fd1f:f88c:e207::f3ff
[|hncp]
IP6 (hlim 64, next-header UDP (17) payload length: 564) fe80::218:f3ff:fea9:914e.8231 > fe80::21e:64ff:fe23:4d34.8231: [bad udp cksum 0xe65a -> 0x7725!] hncp (556)
Node endpoint (12) NID: 31:10:00:00 EPID: 00000000
Node state (544) NID: 61:69:ed:63 seqno: 12 969.699s hash: 011fffa1da966148
Peer (16) Peer-NID: 31:da:78:d2 Peer-EPID: 01000000 Local-EPID: 01000000
Future use: type=64031 (22)
External-Connection (23)
Delegated-Prefix (19) VLSO: 0.599s PLSO: 0.299s Prefix: fd1f:f88c:e207::/48
Assigned-Prefix (143) EPID: 8b8b8b8b Prty: 11 Prefix: (invalid)
Private use: type=768 (4)
[|hncp]
Binary file added tests/hncp_prefix-oobr.pcapng
Binary file not shown.

0 comments on commit 83a412a

Please sign in to comment.