Skip to content
Permalink
Browse files

CVE-2017-13027/LLDP: Fix a bounds check.

The total length of the OID is the OID length plus the length of the OID
length itself.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
  • Loading branch information...
guyharris authored and infrastation committed Mar 22, 2017
1 parent b20e163 commit a77ff09c46560bc895dea11dc9fe643486b056ac
Showing with 10 additions and 1 deletion.
  1. +1 −1 print-lldp.c
  2. +1 −0 tests/TESTLIST
  3. +8 −0 tests/lldp_mgmt_addr_tlv_asan.out
  4. BIN tests/lldp_mgmt_addr_tlv_asan.pcap
@@ -1401,7 +1401,7 @@ lldp_mgmt_addr_tlv_print(netdissect_options *ndo,
if (tlen) {
oid_len = *tptr;

if (tlen < oid_len) {
if (tlen < 1U + oid_len) {
return 0;
}
if (oid_len) {
@@ -532,6 +532,7 @@ isis_stlv_asan isis_stlv_asan.pcap isis_stlv_asan.out -v
isis_stlv_asan-2 isis_stlv_asan-2.pcap isis_stlv_asan-2.out -v
isis_stlv_asan-3 isis_stlv_asan-3.pcap isis_stlv_asan-3.out -v
isis_stlv_asan-4 isis_stlv_asan-4.pcap isis_stlv_asan-4.out -v
lldp_mgmt_addr_tlv_asan lldp_mgmt_addr_tlv_asan.pcap lldp_mgmt_addr_tlv_asan.out -v

# RTP tests
# fuzzed pcap
@@ -0,0 +1,8 @@
LLDP, length 1048572
Management Address TLV (8), length 15
Management Address length 6, AFI Reserved (0), no AF printer !
Unknown Interface Numbering (10): 666137427
[|LLDP]
00:00:00:a0:d4:c3 > 06:04:e8:03:00:02, ethertype Unknown (0xb2a1), length 58785857:
0x0000: 0200 efff e5ff 804f 006e 0026 0000 0000 .......O.n.&....
0x0010: 01 .
Binary file not shown.

0 comments on commit a77ff09

Please sign in to comment.
You can’t perform that action at this time.