Skip to content
Permalink
Browse files Browse the repository at this point in the history
CVE-2017-13012/ICMP: Add a missing bounds check.
Check before fetching the length from the included packet's IPv4 header.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
  • Loading branch information
guyharris authored and infrastation committed Sep 13, 2017
1 parent 9f0730b commit 8509ef0
Show file tree
Hide file tree
Showing 4 changed files with 5 additions and 0 deletions.
1 change: 1 addition & 0 deletions print-icmp.c
Expand Up @@ -581,6 +581,7 @@ icmp_print(netdissect_options *ndo, const u_char *bp, u_int plen, const u_char *
ND_PRINT((ndo, "\n\t"));
ip = (const struct ip *)bp;
snapend_save = ndo->ndo_snapend;
ND_TCHECK_16BITS(&ip->ip_len);
ip_print(ndo, bp, EXTRACT_16BITS(&ip->ip_len));
ndo->ndo_snapend = snapend_save;
}
Expand Down
1 change: 1 addition & 0 deletions tests/TESTLIST
Expand Up @@ -509,6 +509,7 @@ pktap-heap-overflow pktap-heap-overflow.pcap pktap-heap-overflow.out -v

# bad packets from Bhargava Shastry
lldp_asan lldp_asan.pcap lldp_asan.out -v
extract_read2_asan extract_read2_asan.pcap extract_read2_asan.out -v

# RTP tests
# fuzzed pcap
Expand Down
3 changes: 3 additions & 0 deletions tests/extract_read2_asan.out
@@ -0,0 +1,3 @@
IP (tos 0x14, id 1, offset 0, flags [none], proto ICMP (1), length 512, options (unknown 3,unknown 3,unknown 3 [bad length 3]), bad cksum 3ff (->b4bd)!)
240.25.0.0 > 3.3.3.3: ICMP source quench, length 484
[|icmp]
Binary file added tests/extract_read2_asan.pcap
Binary file not shown.

0 comments on commit 8509ef0

Please sign in to comment.