Skip to content

Commit a77ff09

Browse files
guyharrisinfrastation
authored andcommitted
CVE-2017-13027/LLDP: Fix a bounds check.
The total length of the OID is the OID length plus the length of the OID length itself. This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s), modified so the capture file won't be rejected as an invalid capture.
1 parent b20e163 commit a77ff09

File tree

4 files changed

+10
-1
lines changed

4 files changed

+10
-1
lines changed

Diff for: print-lldp.c

+1-1
Original file line numberDiff line numberDiff line change
@@ -1401,7 +1401,7 @@ lldp_mgmt_addr_tlv_print(netdissect_options *ndo,
14011401
if (tlen) {
14021402
oid_len = *tptr;
14031403

1404-
if (tlen < oid_len) {
1404+
if (tlen < 1U + oid_len) {
14051405
return 0;
14061406
}
14071407
if (oid_len) {

Diff for: tests/TESTLIST

+1
Original file line numberDiff line numberDiff line change
@@ -532,6 +532,7 @@ isis_stlv_asan isis_stlv_asan.pcap isis_stlv_asan.out -v
532532
isis_stlv_asan-2 isis_stlv_asan-2.pcap isis_stlv_asan-2.out -v
533533
isis_stlv_asan-3 isis_stlv_asan-3.pcap isis_stlv_asan-3.out -v
534534
isis_stlv_asan-4 isis_stlv_asan-4.pcap isis_stlv_asan-4.out -v
535+
lldp_mgmt_addr_tlv_asan lldp_mgmt_addr_tlv_asan.pcap lldp_mgmt_addr_tlv_asan.out -v
535536

536537
# RTP tests
537538
# fuzzed pcap

Diff for: tests/lldp_mgmt_addr_tlv_asan.out

+8
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
LLDP, length 1048572
2+
Management Address TLV (8), length 15
3+
Management Address length 6, AFI Reserved (0), no AF printer !
4+
Unknown Interface Numbering (10): 666137427
5+
[|LLDP]
6+
00:00:00:a0:d4:c3 > 06:04:e8:03:00:02, ethertype Unknown (0xb2a1), length 58785857:
7+
0x0000: 0200 efff e5ff 804f 006e 0026 0000 0000 .......O.n.&....
8+
0x0010: 01 .

Diff for: tests/lldp_mgmt_addr_tlv_asan.pcap

118 Bytes
Binary file not shown.

0 commit comments

Comments
 (0)