Skip to content

Commit 99798bd

Browse files
guyharrisinfrastation
authored andcommitted
CVE-2017-12987/IEEE 802.11: Fix processing of TIM IE.
The arguments to memcpy() were completely wrong. This fixes a buffer over-read discovered by Kamil Frankowicz. Add a test using the capture file supplied by Brian 'geeknik' Carpenter.
1 parent d17507f commit 99798bd

File tree

4 files changed

+6
-2
lines changed

4 files changed

+6
-2
lines changed

Diff for: print-802_11.c

+1-2
Original file line numberDiff line numberDiff line change
@@ -1189,8 +1189,7 @@ parse_elements(netdissect_options *ndo,
11891189
offset += 3;
11901190
length -= 3;
11911191

1192-
memcpy(tim.bitmap, p + (tim.length - 3),
1193-
(tim.length - 3));
1192+
memcpy(tim.bitmap, p + offset + 3, tim.length - 3);
11941193
offset += tim.length - 3;
11951194
length -= tim.length - 3;
11961195
/*

Diff for: tests/TESTLIST

+1
Original file line numberDiff line numberDiff line change
@@ -435,6 +435,7 @@ atm-heapoverflow atm-heapoverflow.pcap atm-heapoverflow.out -c1 -e
435435
ipv6-next-header-oobr-1 ipv6-next-header-oobr-1.pcap ipv6-next-header-oobr-1.out
436436
ipv6-next-header-oobr-2 ipv6-next-header-oobr-2.pcap ipv6-next-header-oobr-2.out
437437
ipv6-rthdr-oobr ipv6-rthdr-oobr.pcap ipv6-rthdr-oobr.out
438+
ieee802.11_tim_ie_oobr ieee802.11_tim_ie_oobr.pcap ieee802.11_tim_ie_oobr.out
438439

439440
# bad packets from Kamil Frankowicz
440441
snmp-heapoverflow-1 snmp-heapoverflow-1.pcap snmp-heapoverflow-1.out

Diff for: tests/ieee802.11_tim_ie_oobr.out

+4
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
ReAssoc Response AID(3030) : PRIVACY : n/a[|802.11]
2+
ReAssoc Response AID(3030) : PRIVACY : n/a[|802.11]
3+
[|802.11]
4+
ReAssoc Response AID(3030) : PRIVACY : n/a[|802.11]

Diff for: tests/ieee802.11_tim_ie_oobr.pcap

385 Bytes
Binary file not shown.

0 commit comments

Comments
 (0)