CVE-2017-13027/LLDP: Fix a bounds check.

The total length of the OID is the OID length plus the length of the OID length itself. This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s), modified so the capture file won't be rejected as an invalid capture.
the-tcpdump-group · Sep 13, 2017 · a77ff09 · a77ff09
1 parent b20e163
commit a77ff09
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 1 deletion.
diff --git a/print-lldp.c b/print-lldp.c
@@ -1401,7 +1401,7 @@ lldp_mgmt_addr_tlv_print(netdissect_options *ndo,
     if (tlen) {
         oid_len = *tptr;
 
-        if (tlen < oid_len) {
+        if (tlen < 1U + oid_len) {
             return 0;
         }
         if (oid_len) {

diff --git a/tests/TESTLIST b/tests/TESTLIST
@@ -532,6 +532,7 @@ isis_stlv_asan		isis_stlv_asan.pcap		isis_stlv_asan.out	-v
 isis_stlv_asan-2	isis_stlv_asan-2.pcap		isis_stlv_asan-2.out	-v
 isis_stlv_asan-3	isis_stlv_asan-3.pcap		isis_stlv_asan-3.out	-v
 isis_stlv_asan-4	isis_stlv_asan-4.pcap		isis_stlv_asan-4.out	-v
+lldp_mgmt_addr_tlv_asan	lldp_mgmt_addr_tlv_asan.pcap	lldp_mgmt_addr_tlv_asan.out	-v
 
 # RTP tests
 # fuzzed pcap

diff --git a/tests/lldp_mgmt_addr_tlv_asan.out b/tests/lldp_mgmt_addr_tlv_asan.out
@@ -0,0 +1,8 @@
+LLDP, length 1048572
+	Management Address TLV (8), length 15
+	  Management Address length 6, AFI Reserved (0), no AF printer !
+	  Unknown Interface Numbering (10): 666137427
+	[|LLDP]
+00:00:00:a0:d4:c3 > 06:04:e8:03:00:02, ethertype Unknown (0xb2a1), length 58785857: 
+	0x0000:  0200 efff e5ff 804f 006e 0026 0000 0000  .......O.n.&....
+	0x0010:  01                                       .
diff --git a/tests/lldp_mgmt_addr_tlv_asan.pcap b/tests/lldp_mgmt_addr_tlv_asan.pcap