Skip to content

Commit aa08581

Browse files
committed
CVE-2017-13049/Rx: add a missing bounds check for Ubik
One of the case blocks in ubik_print() didn't check bounds before fetching 32 bits of packet data and could overread past the captured packet data by that amount. This fixes a buffer over-read discovered by Henri Salo from Nixu Corporation. Add a test using the capture file supplied by the reporter(s).
1 parent d515b4b commit aa08581

File tree

4 files changed

+5
-0
lines changed

4 files changed

+5
-0
lines changed

Diff for: print-rx.c

+1
Original file line numberDiff line numberDiff line change
@@ -2577,6 +2577,7 @@ ubik_print(netdissect_options *ndo,
25772577
INTOUT();
25782578
ND_PRINT((ndo, " length"));
25792579
INTOUT();
2580+
ND_TCHECK_32BITS(bp);
25802581
temp = EXTRACT_32BITS(bp);
25812582
bp += sizeof(int32_t);
25822583
tok2str(ubik_lock_types, "type %d", temp);

Diff for: tests/TESTLIST

+3
Original file line numberDiff line numberDiff line change
@@ -573,6 +573,9 @@ mlppp-oobr mlppp-oobr.pcap mlppp-oobr.out
573573
mptcp-dss-oobr mptcp-dss-oobr.pcap mptcp-dss-oobr.out -v
574574
icmp6_nodeinfo_oobr icmp6_nodeinfo_oobr.pcap icmp6_nodeinfo_oobr.out
575575

576+
# bad packets from Henri Salo
577+
rx_ubik-oobr rx_ubik-oobr.pcap rx_ubik-oobr.out -c1
578+
576579
# RTP tests
577580
# fuzzed pcap
578581
rtp-seg-fault-1 rtp-seg-fault-1.pcap rtp-seg-fault-1.out -v -T rtp

Diff for: tests/rx_ubik-oobr.out

+1
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
IP truncated-ip - 2598 bytes missing! 222.241.104.198.3503 > 131.63.241.146.7002: rx data pt ubik call disk-lock tid 50266112.32382 file 2122216448 pos 545160708 length 1087685554 [|ubik] (2632)

Diff for: tests/rx_ubik-oobr.pcap

329 Bytes
Binary file not shown.

0 commit comments

Comments
 (0)