Skip to content

Commit 9851220

Browse files
guyharrisinfrastation
authored andcommitted
CVE-2017-13015/EAP: Add more bounds checks.
This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s), modified so the capture file won't be rejected as an invalid capture.
1 parent cc35651 commit 9851220

File tree

4 files changed

+17
-4
lines changed

4 files changed

+17
-4
lines changed

Diff for: print-eap.c

+14-4
Original file line numberDiff line numberDiff line change
@@ -182,7 +182,9 @@ eap_print(netdissect_options *ndo,
182182

183183
switch (eap->type) {
184184
case EAP_FRAME_TYPE_PACKET:
185+
ND_TCHECK_8BITS(tptr);
185186
type = *(tptr);
187+
ND_TCHECK_16BITS(tptr+2);
186188
len = EXTRACT_16BITS(tptr+2);
187189
ND_PRINT((ndo, ", %s (%u), id %u, len %u",
188190
tok2str(eap_code_values, "unknown", type),
@@ -193,10 +195,11 @@ eap_print(netdissect_options *ndo,
193195
ND_TCHECK2(*tptr, len);
194196

195197
if (type <= 2) { /* For EAP_REQUEST and EAP_RESPONSE only */
198+
ND_TCHECK_8BITS(tptr+4);
196199
subtype = *(tptr+4);
197200
ND_PRINT((ndo, "\n\t\t Type %s (%u)",
198-
tok2str(eap_type_values, "unknown", *(tptr+4)),
199-
*(tptr + 4)));
201+
tok2str(eap_type_values, "unknown", subtype),
202+
subtype));
200203

201204
switch (subtype) {
202205
case EAP_TYPE_IDENTITY:
@@ -222,6 +225,7 @@ eap_print(netdissect_options *ndo,
222225
* type one octet per type
223226
*/
224227
while (count < len) {
228+
ND_TCHECK_8BITS(tptr+count);
225229
ND_PRINT((ndo, " %s (%u),",
226230
tok2str(eap_type_values, "unknown", *(tptr+count)),
227231
*(tptr + count)));
@@ -230,26 +234,31 @@ eap_print(netdissect_options *ndo,
230234
break;
231235

232236
case EAP_TYPE_TTLS:
233-
ND_PRINT((ndo, " TTLSv%u",
234-
EAP_TTLS_VERSION(*(tptr + 5)))); /* fall through */
235237
case EAP_TYPE_TLS:
238+
ND_TCHECK_8BITS(tptr + 5);
239+
if (subtype == EAP_TYPE_TTLS)
240+
ND_PRINT((ndo, " TTLSv%u",
241+
EAP_TTLS_VERSION(*(tptr + 5))));
236242
ND_PRINT((ndo, " flags [%s] 0x%02x,",
237243
bittok2str(eap_tls_flags_values, "none", *(tptr+5)),
238244
*(tptr + 5)));
239245

240246
if (EAP_TLS_EXTRACT_BIT_L(*(tptr+5))) {
247+
ND_TCHECK_32BITS(tptr + 6);
241248
ND_PRINT((ndo, " len %u", EXTRACT_32BITS(tptr + 6)));
242249
}
243250
break;
244251

245252
case EAP_TYPE_FAST:
253+
ND_TCHECK_8BITS(tptr + 5);
246254
ND_PRINT((ndo, " FASTv%u",
247255
EAP_TTLS_VERSION(*(tptr + 5))));
248256
ND_PRINT((ndo, " flags [%s] 0x%02x,",
249257
bittok2str(eap_tls_flags_values, "none", *(tptr+5)),
250258
*(tptr + 5)));
251259

252260
if (EAP_TLS_EXTRACT_BIT_L(*(tptr+5))) {
261+
ND_TCHECK_32BITS(tptr + 6);
253262
ND_PRINT((ndo, " len %u", EXTRACT_32BITS(tptr + 6)));
254263
}
255264

@@ -258,6 +267,7 @@ eap_print(netdissect_options *ndo,
258267

259268
case EAP_TYPE_AKA:
260269
case EAP_TYPE_SIM:
270+
ND_TCHECK_8BITS(tptr + 5);
261271
ND_PRINT((ndo, " subtype [%s] 0x%02x,",
262272
tok2str(eap_aka_subtype_values, "unknown", *(tptr+5)),
263273
*(tptr + 5)));

Diff for: tests/TESTLIST

+1
Original file line numberDiff line numberDiff line change
@@ -512,6 +512,7 @@ wb-oobr wb-oobr.pcap wb-oobr.out -v
512512
lldp_asan lldp_asan.pcap lldp_asan.out -v
513513
extract_read2_asan extract_read2_asan.pcap extract_read2_asan.out -v
514514
getname_2_read4_asan getname_2_read4_asan.pcap getname_2_read4_asan.out -v
515+
eap_extract_read2_asan eap_extract_read2_asan.pcap eap_extract_read2_asan.out -v
515516

516517
# RTP tests
517518
# fuzzed pcap

Diff for: tests/eap_extract_read2_asan.out

+2
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
EAP packet (0) v155, len 0
2+
[|EAP]

Diff for: tests/eap_extract_read2_asan.pcap

60 Bytes
Binary file not shown.

0 commit comments

Comments
 (0)