Skip to content

Commit 877b66b

Browse files
guyharrisinfrastation
authored andcommitted
CVE-2017-13010/BEEP: Do bounds checking when comparing strings.
This fixes a buffer over-read discovered by Brian 'geeknik' Carpenter. Add a test using the capture file supplied by the reporter(s).
1 parent db8c799 commit 877b66b

File tree

4 files changed

+20
-9
lines changed

4 files changed

+20
-9
lines changed

Diff for: print-beep.c

+17-9
Original file line numberDiff line numberDiff line change
@@ -28,9 +28,17 @@
2828
*/
2929

3030
static int
31-
l_strnstart(const char *tstr1, u_int tl1, const char *str2, u_int l2)
31+
l_strnstart(netdissect_options *ndo, const char *tstr1, u_int tl1,
32+
const char *str2, u_int l2)
3233
{
33-
34+
if (!ND_TTEST2(*str2, tl1)) {
35+
/*
36+
* We don't have tl1 bytes worth of captured data
37+
* for the string, so we can't check for this
38+
* string.
39+
*/
40+
return 0;
41+
}
3442
if (tl1 > l2)
3543
return 0;
3644

@@ -41,19 +49,19 @@ void
4149
beep_print(netdissect_options *ndo, const u_char *bp, u_int length)
4250
{
4351

44-
if (l_strnstart("MSG", 4, (const char *)bp, length)) /* A REQuest */
52+
if (l_strnstart(ndo, "MSG", 4, (const char *)bp, length)) /* A REQuest */
4553
ND_PRINT((ndo, " BEEP MSG"));
46-
else if (l_strnstart("RPY ", 4, (const char *)bp, length))
54+
else if (l_strnstart(ndo, "RPY ", 4, (const char *)bp, length))
4755
ND_PRINT((ndo, " BEEP RPY"));
48-
else if (l_strnstart("ERR ", 4, (const char *)bp, length))
56+
else if (l_strnstart(ndo, "ERR ", 4, (const char *)bp, length))
4957
ND_PRINT((ndo, " BEEP ERR"));
50-
else if (l_strnstart("ANS ", 4, (const char *)bp, length))
58+
else if (l_strnstart(ndo, "ANS ", 4, (const char *)bp, length))
5159
ND_PRINT((ndo, " BEEP ANS"));
52-
else if (l_strnstart("NUL ", 4, (const char *)bp, length))
60+
else if (l_strnstart(ndo, "NUL ", 4, (const char *)bp, length))
5361
ND_PRINT((ndo, " BEEP NUL"));
54-
else if (l_strnstart("SEQ ", 4, (const char *)bp, length))
62+
else if (l_strnstart(ndo, "SEQ ", 4, (const char *)bp, length))
5563
ND_PRINT((ndo, " BEEP SEQ"));
56-
else if (l_strnstart("END", 4, (const char *)bp, length))
64+
else if (l_strnstart(ndo, "END", 4, (const char *)bp, length))
5765
ND_PRINT((ndo, " BEEP END"));
5866
else
5967
ND_PRINT((ndo, " BEEP (payload or undecoded)"));

Diff for: tests/TESTLIST

+1
Original file line numberDiff line numberDiff line change
@@ -440,6 +440,7 @@ decnet-shorthdr-oobr decnet-shorthdr-oobr.pcap decnet-shorthdr-oobr.out
440440
isakmp-3948-oobr-2 isakmp-3948-oobr-2.pcap isakmp-3948-oobr-2.out
441441
ieee802.11_rates_oobr ieee802.11_rates_oobr.pcap ieee802.11_rates_oobr.out
442442
ipv6-mobility-header-oobr ipv6-mobility-header-oobr.pcap ipv6-mobility-header-oobr.out
443+
beep-oobr beep-oobr.pcap beep-oobr.out
443444

444445
# bad packets from Kamil Frankowicz
445446
snmp-heapoverflow-1 snmp-heapoverflow-1.pcap snmp-heapoverflow-1.out

Diff for: tests/beep-oobr.out

+2
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
unknown ip 3
2+
IP6 3030:3030:3030:3030:3030:3030:3030:3030.10288 > 3030:3030:3030:3030:3030:3030:3030:3030.12336: Flags [.U], seq 808464432:808476740, ack 808464432, win 12336, urg 12336, options [eol], length 12308 BEEP (payload or undecoded)

Diff for: tests/beep-oobr.pcap

218 Bytes
Binary file not shown.

0 commit comments

Comments
 (0)