Skip to content

Commit 9f0730b

Browse files
guyharrisinfrastation
authored andcommitted
CVE-2017-13011/Properly check for buffer overflow in bittok2str_internal().
Also, make the buffer bigger. This fixes a buffer overflow discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s), modified so the capture file won't be rejected as an invalid capture.
1 parent 9349345 commit 9f0730b

File tree

4 files changed

+35
-5
lines changed

4 files changed

+35
-5
lines changed

Diff for: tests/TESTLIST

+3
Original file line numberDiff line numberDiff line change
@@ -507,6 +507,9 @@ juniper_es juniper_es.pcap juniper_es.out -vvv -e
507507
l2tp-avp-overflow l2tp-avp-overflow.pcap l2tp-avp-overflow.out -v
508508
pktap-heap-overflow pktap-heap-overflow.pcap pktap-heap-overflow.out -v
509509

510+
# bad packets from Bhargava Shastry
511+
lldp_asan lldp_asan.pcap lldp_asan.out -v
512+
510513
# RTP tests
511514
# fuzzed pcap
512515
rtp-seg-fault-1 rtp-seg-fault-1.pcap rtp-seg-fault-1.out -v -T rtp

Diff for: tests/lldp_asan.out

+14
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
LLDP, length 296
2+
Chassis ID TLV (1), length 6
3+
Subtype Network address (5): AFI IPv4 (1): 0.0.32.0
4+
Organization specific TLV (127), length 9: OUI IEEE 802.3 Private (0x00120f)
5+
MAC/PHY configuration/status Subtype (1)
6+
autonegotiation [none] (0x00)
7+
PMD autoneg capability [10BASE-T hdx, 10BASE-T fdx, 100BASE-T4, 100BASE-TX hdx, 100BASE-TX fdx, 100BASE-T2 hdx, 100BASE-T2 fdx, Pause for fdx links, Asym PAUSE for fdx, Sym PAUSE for fdx, Asym and Sym PAUSE for fdx, 1000BASE-{X LX SX CX} hdx, 1000BASE-{X LX SX CX} fdx, 1000BASE-T hdx, 1000BASE-T fdx] (0xffff)
8+
MAU type unknown (0x2000)
9+
Organization specific TLV (127), length 9: OUI IEEE 802.3 Private (0x00120f)
10+
MAC/PHY configuration/status Subtype (1)
11+
autonegotiation [none] (0x00)
12+
PMD autoneg capability [Pause for fdx links, Asym PAUSE for fdx, Sym PAUSE for fdx, Asym and Sym PAUSE for fdx, 1000BASE-{X LX SX CX} hdx, 1000BASE-{X LX SX CX} fdx, 1000BASE-T hdx] (0x00fe)
13+
MAU type unknown (0x0f00)
14+
End TLV (0), length 0

Diff for: tests/lldp_asan.pcap

94 Bytes
Binary file not shown.

Diff for: util-print.c

+18-5
Original file line numberDiff line numberDiff line change
@@ -523,8 +523,9 @@ static char *
523523
bittok2str_internal(register const struct tok *lp, register const char *fmt,
524524
register u_int v, const char *sep)
525525
{
526-
static char buf[256]; /* our stringbuffer */
527-
int buflen=0;
526+
static char buf[1024+1]; /* our string buffer */
527+
char *bufp = buf;
528+
size_t space_left = sizeof(buf), string_size;
528529
register u_int rotbit; /* this is the bit we rotate through all bitpositions */
529530
register u_int tokval;
530531
const char * sepstr = "";
@@ -539,8 +540,20 @@ bittok2str_internal(register const struct tok *lp, register const char *fmt,
539540
*/
540541
if (tokval == (v&rotbit)) {
541542
/* ok we have found something */
542-
buflen+=snprintf(buf+buflen, sizeof(buf)-buflen, "%s%s",
543-
sepstr, lp->s);
543+
if (space_left <= 1)
544+
return (buf); /* only enough room left for NUL, if that */
545+
string_size = strlcpy(bufp, sepstr, space_left);
546+
if (string_size >= space_left)
547+
return (buf); /* we ran out of room */
548+
bufp += string_size;
549+
space_left -= string_size;
550+
if (space_left <= 1)
551+
return (buf); /* only enough room left for NUL, if that */
552+
string_size = strlcpy(bufp, lp->s, space_left);
553+
if (string_size >= space_left)
554+
return (buf); /* we ran out of room */
555+
bufp += string_size;
556+
space_left -= string_size;
544557
sepstr = sep;
545558
break;
546559
}
@@ -549,7 +562,7 @@ bittok2str_internal(register const struct tok *lp, register const char *fmt,
549562
lp++;
550563
}
551564

552-
if (buflen == 0)
565+
if (bufp == buf)
553566
/* bummer - lets print the "unknown" message as advised in the fmt string if we got one */
554567
(void)snprintf(buf, sizeof(buf), fmt == NULL ? "#%08x" : fmt, v);
555568
return (buf);

0 commit comments

Comments
 (0)