Skip to content
Permalink
Browse files

CVE-2017-13036/OSPFv3: Add a bounds check before fetching data

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
  • Loading branch information...
fxlb authored and infrastation committed Mar 23, 2017
1 parent 571a6f3 commit 88b2dac837e81cf56dce05e6e7b5989332c0092d
Showing with 4 additions and 0 deletions.
  1. +1 −0 print-ospf6.c
  2. +1 −0 tests/TESTLIST
  3. +2 −0 tests/ospf6_decode_v3_asan.out
  4. BIN tests/ospf6_decode_v3_asan.pcap
@@ -735,6 +735,7 @@ ospf6_decode_v3(netdissect_options *ndo,
case OSPF_TYPE_HELLO: {
register const struct hello6 *hellop = (const struct hello6 *)((const uint8_t *)op + OSPF6HDR_LEN);

ND_TCHECK_32BITS(&hellop->hello_options);
ND_PRINT((ndo, "\n\tOptions [%s]",
bittok2str(ospf6_option_values, "none",
EXTRACT_32BITS(&hellop->hello_options))));
@@ -549,6 +549,7 @@ pim_header_asan-2 pim_header_asan-2.pcap pim_header_asan-2.out -v
pim_header_asan-3 pim_header_asan-3.pcap pim_header_asan-3.out -v
ip6_frag_asan ip6_frag_asan.pcap ip6_frag_asan.out -v
radius_attr_asan radius_attr_asan.pcap radius_attr_asan.out -v
ospf6_decode_v3_asan ospf6_decode_v3_asan.pcap ospf6_decode_v3_asan.out -v

# RTP tests
# fuzzed pcap
@@ -0,0 +1,2 @@
IP6 (class 0x76, flowlabel 0xf6701, hlim 109, next-header OSPF (89) payload length: 30311) 6767:6780:6767:a102:4:b6:5853:f040 > 1000:a32:8847:1::116: OSPFv3, Hello, length 30311
Router-ID 1.1.0.34, Area 0.255.2.2, Instance 82 [|ospf3]
Binary file not shown.

0 comments on commit 88b2dac

Please sign in to comment.
You can’t perform that action at this time.