Skip to content
Permalink
Browse files Browse the repository at this point in the history
CVE-2017-12987/IEEE 802.11: Fix processing of TIM IE.
The arguments to memcpy() were completely wrong.

This fixes a buffer over-read discovered by Kamil Frankowicz.

Add a test using the capture file supplied by Brian 'geeknik' Carpenter.
  • Loading branch information
guyharris authored and infrastation committed Sep 13, 2017
1 parent d17507f commit 99798bd
Show file tree
Hide file tree
Showing 4 changed files with 6 additions and 2 deletions.
3 changes: 1 addition & 2 deletions print-802_11.c
Expand Up @@ -1189,8 +1189,7 @@ parse_elements(netdissect_options *ndo,
offset += 3;
length -= 3;

memcpy(tim.bitmap, p + (tim.length - 3),
(tim.length - 3));
memcpy(tim.bitmap, p + offset + 3, tim.length - 3);
offset += tim.length - 3;
length -= tim.length - 3;
/*
Expand Down
1 change: 1 addition & 0 deletions tests/TESTLIST
Expand Up @@ -435,6 +435,7 @@ atm-heapoverflow atm-heapoverflow.pcap atm-heapoverflow.out -c1 -e
ipv6-next-header-oobr-1 ipv6-next-header-oobr-1.pcap ipv6-next-header-oobr-1.out
ipv6-next-header-oobr-2 ipv6-next-header-oobr-2.pcap ipv6-next-header-oobr-2.out
ipv6-rthdr-oobr ipv6-rthdr-oobr.pcap ipv6-rthdr-oobr.out
ieee802.11_tim_ie_oobr ieee802.11_tim_ie_oobr.pcap ieee802.11_tim_ie_oobr.out

# bad packets from Kamil Frankowicz
snmp-heapoverflow-1 snmp-heapoverflow-1.pcap snmp-heapoverflow-1.out
Expand Down
4 changes: 4 additions & 0 deletions tests/ieee802.11_tim_ie_oobr.out
@@ -0,0 +1,4 @@
ReAssoc Response AID(3030) : PRIVACY : n/a[|802.11]
ReAssoc Response AID(3030) : PRIVACY : n/a[|802.11]
[|802.11]
ReAssoc Response AID(3030) : PRIVACY : n/a[|802.11]
Binary file added tests/ieee802.11_tim_ie_oobr.pcap
Binary file not shown.

0 comments on commit 99798bd

Please sign in to comment.