Skip to content
Permalink
Browse files Browse the repository at this point in the history
CVE-2017-13027/LLDP: Fix a bounds check.
The total length of the OID is the OID length plus the length of the OID
length itself.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
  • Loading branch information
guyharris authored and infrastation committed Sep 13, 2017
1 parent b20e163 commit a77ff09
Show file tree
Hide file tree
Showing 4 changed files with 10 additions and 1 deletion.
2 changes: 1 addition & 1 deletion print-lldp.c
Expand Up @@ -1401,7 +1401,7 @@ lldp_mgmt_addr_tlv_print(netdissect_options *ndo,
if (tlen) {
oid_len = *tptr;

if (tlen < oid_len) {
if (tlen < 1U + oid_len) {
return 0;
}
if (oid_len) {
Expand Down
1 change: 1 addition & 0 deletions tests/TESTLIST
Expand Up @@ -532,6 +532,7 @@ isis_stlv_asan isis_stlv_asan.pcap isis_stlv_asan.out -v
isis_stlv_asan-2 isis_stlv_asan-2.pcap isis_stlv_asan-2.out -v
isis_stlv_asan-3 isis_stlv_asan-3.pcap isis_stlv_asan-3.out -v
isis_stlv_asan-4 isis_stlv_asan-4.pcap isis_stlv_asan-4.out -v
lldp_mgmt_addr_tlv_asan lldp_mgmt_addr_tlv_asan.pcap lldp_mgmt_addr_tlv_asan.out -v

# RTP tests
# fuzzed pcap
Expand Down
8 changes: 8 additions & 0 deletions tests/lldp_mgmt_addr_tlv_asan.out
@@ -0,0 +1,8 @@
LLDP, length 1048572
Management Address TLV (8), length 15
Management Address length 6, AFI Reserved (0), no AF printer !
Unknown Interface Numbering (10): 666137427
[|LLDP]
00:00:00:a0:d4:c3 > 06:04:e8:03:00:02, ethertype Unknown (0xb2a1), length 58785857:
0x0000: 0200 efff e5ff 804f 006e 0026 0000 0000 .......O.n.&....
0x0010: 01 .
Binary file added tests/lldp_mgmt_addr_tlv_asan.pcap
Binary file not shown.

0 comments on commit a77ff09

Please sign in to comment.