Skip to content

Commit 88b2dac

Browse files
fxlbinfrastation
authored andcommitted
CVE-2017-13036/OSPFv3: Add a bounds check before fetching data
This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s), modified so the capture file won't be rejected as an invalid capture.
1 parent 571a6f3 commit 88b2dac

File tree

4 files changed

+4
-0
lines changed

4 files changed

+4
-0
lines changed

Diff for: print-ospf6.c

+1
Original file line numberDiff line numberDiff line change
@@ -735,6 +735,7 @@ ospf6_decode_v3(netdissect_options *ndo,
735735
case OSPF_TYPE_HELLO: {
736736
register const struct hello6 *hellop = (const struct hello6 *)((const uint8_t *)op + OSPF6HDR_LEN);
737737

738+
ND_TCHECK_32BITS(&hellop->hello_options);
738739
ND_PRINT((ndo, "\n\tOptions [%s]",
739740
bittok2str(ospf6_option_values, "none",
740741
EXTRACT_32BITS(&hellop->hello_options))));

Diff for: tests/TESTLIST

+1
Original file line numberDiff line numberDiff line change
@@ -549,6 +549,7 @@ pim_header_asan-2 pim_header_asan-2.pcap pim_header_asan-2.out -v
549549
pim_header_asan-3 pim_header_asan-3.pcap pim_header_asan-3.out -v
550550
ip6_frag_asan ip6_frag_asan.pcap ip6_frag_asan.out -v
551551
radius_attr_asan radius_attr_asan.pcap radius_attr_asan.out -v
552+
ospf6_decode_v3_asan ospf6_decode_v3_asan.pcap ospf6_decode_v3_asan.out -v
552553

553554
# RTP tests
554555
# fuzzed pcap

Diff for: tests/ospf6_decode_v3_asan.out

+2
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
IP6 (class 0x76, flowlabel 0xf6701, hlim 109, next-header OSPF (89) payload length: 30311) 6767:6780:6767:a102:4:b6:5853:f040 > 1000:a32:8847:1::116: OSPFv3, Hello, length 30311
2+
Router-ID 1.1.0.34, Area 0.255.2.2, Instance 82 [|ospf3]

Diff for: tests/ospf6_decode_v3_asan.pcap

114 Bytes
Binary file not shown.

0 commit comments

Comments
 (0)