Skip to content
Permalink
Browse files Browse the repository at this point in the history
(for 4.9.3) VRRP: Add a missing bounds check
In vrrp_print().

This fixes a buffer over-read discovered by Konrad Rieck and
Bhargava Shastry.

Add a test using the capture file supplied by the reporter(s)
restricted to VRRP packets.
  • Loading branch information
fxlb committed Aug 18, 2019
1 parent 09192e0 commit a152aeb
Show file tree
Hide file tree
Showing 4 changed files with 24 additions and 1 deletion.
4 changes: 3 additions & 1 deletion print-vrrp.c
Expand Up @@ -152,9 +152,11 @@ vrrp_print(netdissect_options *ndo,
if (version == 3 && ND_TTEST2(bp[0], len)) {
uint16_t cksum = nextproto4_cksum(ndo, (const struct ip *)bp2, bp,
len, len, IPPROTO_VRRP);
if (cksum)
if (cksum) {
ND_TCHECK_16BITS(&bp[6]);
ND_PRINT((ndo, ", (bad vrrp cksum %x)",
EXTRACT_16BITS(&bp[6])));
}
}

ND_PRINT((ndo, ", addrs"));
Expand Down
1 change: 1 addition & 0 deletions tests/TESTLIST
Expand Up @@ -557,6 +557,7 @@ icmp-icmp_print-oobr-1 icmp-icmp_print-oobr-1.pcap icmp-icmp_print-oobr-1.out -v
icmp-icmp_print-oobr-2 icmp-icmp_print-oobr-2.pcap icmp-icmp_print-oobr-2.out -v -c3
rsvp-rsvp_obj_print-oobr rsvp-rsvp_obj_print-oobr.pcap rsvp-rsvp_obj_print-oobr.out -v -c3
vrrp-vrrp_print-oobr vrrp-vrrp_print-oobr.pcap vrrp-vrrp_print-oobr.out -v -c3
vrrp-vrrp_print-oobr-2 vrrp-vrrp_print-oobr-2.pcap vrrp-vrrp_print-oobr-2.out -v
bgp-bgp_capabilities_print-oobr-1 bgp-bgp_capabilities_print-oobr-1.pcap bgp-bgp_capabilities_print-oobr-1.out -v -c1
bgp-bgp_capabilities_print-oobr-2 bgp-bgp_capabilities_print-oobr-2.pcap bgp-bgp_capabilities_print-oobr-2.out -v -c1
# The .pcap file is truncated after the 1st packet.
Expand Down
20 changes: 20 additions & 0 deletions tests/vrrp-vrrp_print-oobr-2.out
@@ -0,0 +1,20 @@
IP (tos 0x2,ECT(0), ttl 35, id 48399, offset 0, flags [+, DF, rsvd], proto VRRP (112), length 39, bad cksum 7f (->c1ae)!)
0.3.2.148 > 54.0.0.16: vrrp 0.3.2.148 > 54.0.0.16: VRRPv3, Advertisement, (ttl 35), vrid 255, prio 17, intvl 269cs, length 19, addrs(3):[|vrrp]
IP (tos 0x2,ECT(0), ttl 35, id 40207, offset 0, flags [+, DF, rsvd], proto VRRP (112), length 39, bad cksum 7e (->e1b5)!)
255.251.2.148 > 54.0.0.16: vrrp 255.251.2.148 > 54.0.0.16: VRRPv3, Advertisement, (ttl 35), vrid 255, prio 17, intvl 2304cs, length 19, addrs(3):[|vrrp]
IP (tos 0x2,ECT(0), ttl 35, id 40207, offset 0, flags [+, DF, rsvd], proto VRRP (112), length 39, bad cksum 597f (->e1ae)!)
0.3.2.148 > 54.0.0.16: vrrp 0.3.2.148 > 54.0.0.16: VRRPv3, Advertisement, (ttl 35), vrid 255, prio 17, intvl 256cs, length 19, addrs(3):[|vrrp]
IP (tos 0x2,ECT(0), ttl 35, id 40207, offset 0, flags [+, DF, rsvd], proto VRRP (112), length 39, bad cksum 7f (->e154)!)
0.3.2.148 > 54.90.0.16: vrrp 0.3.2.148 > 54.90.0.16: VRRPv3, Advertisement, (ttl 35), vrid 255, prio 17, intvl 256cs, length 19, addrs(3):[|vrrp]
IP (tos 0x2,ECT(0), ttl 35, id 40207, offset 0, flags [+, DF, rsvd], proto VRRP (112), length 39, bad cksum 7f (->e1ae)!)
0.3.2.148 > 54.0.0.16: vrrp 0.3.2.148 > 54.0.0.16: VRRPv3, Advertisement, (ttl 35), vrid 0, prio 4, intvl 2304cs, length 19, addrs:
IP (tos 0x2,ECT(0), ttl 35, id 48399, offset 0, flags [+, DF, rsvd], proto VRRP (112), length 39, bad cksum 7f (->c1ae)!)
0.3.2.148 > 54.0.0.16: vrrp 0.3.2.148 > 54.0.0.16: VRRPv3, Advertisement, (ttl 35), vrid 255, prio 17, intvl 256cs, length 19, addrs(3):[|vrrp]
IP (tos 0x2,ECT(0), ttl 35, id 40207, offset 0, flags [+, DF, rsvd], proto VRRP (112), length 39, bad cksum 7f (->e1ae)!)
0.3.2.148 > 54.0.0.16: vrrp 0.3.2.148 > 54.0.0.16: VRRPv3, Advertisement, (ttl 35), vrid 255, prio 17, intvl 256cs, length 19, addrs(3):[|vrrp]
IP (tos 0x2,ECT(0), ttl 34, id 40207, offset 0, flags [+, DF, rsvd], proto VRRP (112), length 27, bad cksum 7f (->e260)!)
0.3.2.148 > 54.90.0.16: vrrp 0.3.2.148 > 54.90.0.16: VRRPv3, Advertisement, (ttl 34), vrid 255, prio 17, intvl 256cs, length 7[|vrrp]
IP (tos 0x2,ECT(0), ttl 35, id 40207, offset 0, flags [+, DF, rsvd], proto VRRP (112), length 39, bad cksum 7f (->17af)!)
0.3.2.148 > 0.0.0.16: vrrp 0.3.2.148 > 0.0.0.16: VRRPv3, Advertisement, (ttl 35), vrid 0, prio 4, intvl 2304cs, length 19, addrs:
IP (tos 0x2,ECT(0), ttl 35, id 48399, offset 0, flags [+, DF, rsvd], proto VRRP (112), length 39, bad cksum 7f (->2e8a)!)
242.242.242.242 > 242.242.242.242: vrrp 242.242.242.242 > 242.242.242.242: VRRPv15, unknown type (2), (ttl 35)
Binary file added tests/vrrp-vrrp_print-oobr-2.pcap
Binary file not shown.

0 comments on commit a152aeb

Please sign in to comment.