CVE-2017-13036/OSPFv3: Add a bounds check before fetching data

This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s), modified so the capture file won't be rejected as an invalid capture.
the-tcpdump-group · Sep 13, 2017 · 88b2dac · 88b2dac
1 parent 571a6f3
commit 88b2dac
Show file tree

Hide file tree

Showing 4 changed files with 4 additions and 0 deletions.
diff --git a/print-ospf6.c b/print-ospf6.c
@@ -735,6 +735,7 @@ ospf6_decode_v3(netdissect_options *ndo,
 	case OSPF_TYPE_HELLO: {
 		register const struct hello6 *hellop = (const struct hello6 *)((const uint8_t *)op + OSPF6HDR_LEN);
 
+		ND_TCHECK_32BITS(&hellop->hello_options);
 		ND_PRINT((ndo, "\n\tOptions [%s]",
 		          bittok2str(ospf6_option_values, "none",
 		          EXTRACT_32BITS(&hellop->hello_options))));

diff --git a/tests/TESTLIST b/tests/TESTLIST
@@ -549,6 +549,7 @@ pim_header_asan-2	pim_header_asan-2.pcap		pim_header_asan-2.out	-v
 pim_header_asan-3	pim_header_asan-3.pcap		pim_header_asan-3.out	-v
 ip6_frag_asan		ip6_frag_asan.pcap		ip6_frag_asan.out	-v
 radius_attr_asan	radius_attr_asan.pcap		radius_attr_asan.out	-v
+ospf6_decode_v3_asan	ospf6_decode_v3_asan.pcap	ospf6_decode_v3_asan.out -v
 
 # RTP tests
 # fuzzed pcap

diff --git a/tests/ospf6_decode_v3_asan.out b/tests/ospf6_decode_v3_asan.out
@@ -0,0 +1,2 @@
+IP6 (class 0x76, flowlabel 0xf6701, hlim 109, next-header OSPF (89) payload length: 30311) 6767:6780:6767:a102:4:b6:5853:f040 > 1000:a32:8847:1::116: OSPFv3, Hello, length 30311
+	Router-ID 1.1.0.34, Area 0.255.2.2, Instance 82 [|ospf3]
diff --git a/tests/ospf6_decode_v3_asan.pcap b/tests/ospf6_decode_v3_asan.pcap