Skip to content

Commit 8509ef0

Browse files
guyharrisinfrastation
authored andcommitted
CVE-2017-13012/ICMP: Add a missing bounds check.
Check before fetching the length from the included packet's IPv4 header. This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s), modified so the capture file won't be rejected as an invalid capture.
1 parent 9f0730b commit 8509ef0

File tree

4 files changed

+5
-0
lines changed

4 files changed

+5
-0
lines changed

Diff for: print-icmp.c

+1
Original file line numberDiff line numberDiff line change
@@ -581,6 +581,7 @@ icmp_print(netdissect_options *ndo, const u_char *bp, u_int plen, const u_char *
581581
ND_PRINT((ndo, "\n\t"));
582582
ip = (const struct ip *)bp;
583583
snapend_save = ndo->ndo_snapend;
584+
ND_TCHECK_16BITS(&ip->ip_len);
584585
ip_print(ndo, bp, EXTRACT_16BITS(&ip->ip_len));
585586
ndo->ndo_snapend = snapend_save;
586587
}

Diff for: tests/TESTLIST

+1
Original file line numberDiff line numberDiff line change
@@ -509,6 +509,7 @@ pktap-heap-overflow pktap-heap-overflow.pcap pktap-heap-overflow.out -v
509509

510510
# bad packets from Bhargava Shastry
511511
lldp_asan lldp_asan.pcap lldp_asan.out -v
512+
extract_read2_asan extract_read2_asan.pcap extract_read2_asan.out -v
512513

513514
# RTP tests
514515
# fuzzed pcap

Diff for: tests/extract_read2_asan.out

+3
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
IP (tos 0x14, id 1, offset 0, flags [none], proto ICMP (1), length 512, options (unknown 3,unknown 3,unknown 3 [bad length 3]), bad cksum 3ff (->b4bd)!)
2+
240.25.0.0 > 3.3.3.3: ICMP source quench, length 484
3+
[|icmp]

Diff for: tests/extract_read2_asan.pcap

74 Bytes
Binary file not shown.

0 commit comments

Comments
 (0)