Skip to content
Permalink
Browse files

CVE-2017-13015/EAP: Add more bounds checks.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
  • Loading branch information...
guyharris authored and infrastation committed Mar 16, 2017
1 parent cc35651 commit 985122081165753c7442bd7824c473eb9ff56308
Showing with 17 additions and 4 deletions.
  1. +14 −4 print-eap.c
  2. +1 −0 tests/TESTLIST
  3. +2 −0 tests/eap_extract_read2_asan.out
  4. BIN tests/eap_extract_read2_asan.pcap
@@ -182,7 +182,9 @@ eap_print(netdissect_options *ndo,

switch (eap->type) {
case EAP_FRAME_TYPE_PACKET:
ND_TCHECK_8BITS(tptr);
type = *(tptr);
ND_TCHECK_16BITS(tptr+2);
len = EXTRACT_16BITS(tptr+2);
ND_PRINT((ndo, ", %s (%u), id %u, len %u",
tok2str(eap_code_values, "unknown", type),
@@ -193,10 +195,11 @@ eap_print(netdissect_options *ndo,
ND_TCHECK2(*tptr, len);

if (type <= 2) { /* For EAP_REQUEST and EAP_RESPONSE only */
ND_TCHECK_8BITS(tptr+4);
subtype = *(tptr+4);
ND_PRINT((ndo, "\n\t\t Type %s (%u)",
tok2str(eap_type_values, "unknown", *(tptr+4)),
*(tptr + 4)));
tok2str(eap_type_values, "unknown", subtype),
subtype));

switch (subtype) {
case EAP_TYPE_IDENTITY:
@@ -222,6 +225,7 @@ eap_print(netdissect_options *ndo,
* type one octet per type
*/
while (count < len) {
ND_TCHECK_8BITS(tptr+count);
ND_PRINT((ndo, " %s (%u),",
tok2str(eap_type_values, "unknown", *(tptr+count)),
*(tptr + count)));
@@ -230,26 +234,31 @@ eap_print(netdissect_options *ndo,
break;

case EAP_TYPE_TTLS:
ND_PRINT((ndo, " TTLSv%u",
EAP_TTLS_VERSION(*(tptr + 5)))); /* fall through */
case EAP_TYPE_TLS:
ND_TCHECK_8BITS(tptr + 5);
if (subtype == EAP_TYPE_TTLS)
ND_PRINT((ndo, " TTLSv%u",
EAP_TTLS_VERSION(*(tptr + 5))));
ND_PRINT((ndo, " flags [%s] 0x%02x,",
bittok2str(eap_tls_flags_values, "none", *(tptr+5)),
*(tptr + 5)));

if (EAP_TLS_EXTRACT_BIT_L(*(tptr+5))) {
ND_TCHECK_32BITS(tptr + 6);
ND_PRINT((ndo, " len %u", EXTRACT_32BITS(tptr + 6)));
}
break;

case EAP_TYPE_FAST:
ND_TCHECK_8BITS(tptr + 5);
ND_PRINT((ndo, " FASTv%u",
EAP_TTLS_VERSION(*(tptr + 5))));
ND_PRINT((ndo, " flags [%s] 0x%02x,",
bittok2str(eap_tls_flags_values, "none", *(tptr+5)),
*(tptr + 5)));

if (EAP_TLS_EXTRACT_BIT_L(*(tptr+5))) {
ND_TCHECK_32BITS(tptr + 6);
ND_PRINT((ndo, " len %u", EXTRACT_32BITS(tptr + 6)));
}

@@ -258,6 +267,7 @@ eap_print(netdissect_options *ndo,

case EAP_TYPE_AKA:
case EAP_TYPE_SIM:
ND_TCHECK_8BITS(tptr + 5);
ND_PRINT((ndo, " subtype [%s] 0x%02x,",
tok2str(eap_aka_subtype_values, "unknown", *(tptr+5)),
*(tptr + 5)));
@@ -512,6 +512,7 @@ wb-oobr wb-oobr.pcap wb-oobr.out -v
lldp_asan lldp_asan.pcap lldp_asan.out -v
extract_read2_asan extract_read2_asan.pcap extract_read2_asan.out -v
getname_2_read4_asan getname_2_read4_asan.pcap getname_2_read4_asan.out -v
eap_extract_read2_asan eap_extract_read2_asan.pcap eap_extract_read2_asan.out -v

# RTP tests
# fuzzed pcap
@@ -0,0 +1,2 @@
EAP packet (0) v155, len 0
[|EAP]
Binary file not shown.

0 comments on commit 9851220

Please sign in to comment.
You can’t perform that action at this time.