Skip to content
Permalink
Browse files Browse the repository at this point in the history
CVE-2017-13049/Rx: add a missing bounds check for Ubik
One of the case blocks in ubik_print() didn't check bounds before
fetching 32 bits of packet data and could overread past the captured
packet data by that amount.

This fixes a buffer over-read discovered by Henri Salo from Nixu
Corporation.

Add a test using the capture file supplied by the reporter(s).
  • Loading branch information
infrastation committed Sep 13, 2017
1 parent d515b4b commit aa08581
Show file tree
Hide file tree
Showing 4 changed files with 5 additions and 0 deletions.
1 change: 1 addition & 0 deletions print-rx.c
Expand Up @@ -2577,6 +2577,7 @@ ubik_print(netdissect_options *ndo,
INTOUT();
ND_PRINT((ndo, " length"));
INTOUT();
ND_TCHECK_32BITS(bp);
temp = EXTRACT_32BITS(bp);
bp += sizeof(int32_t);
tok2str(ubik_lock_types, "type %d", temp);
Expand Down
3 changes: 3 additions & 0 deletions tests/TESTLIST
Expand Up @@ -573,6 +573,9 @@ mlppp-oobr mlppp-oobr.pcap mlppp-oobr.out
mptcp-dss-oobr mptcp-dss-oobr.pcap mptcp-dss-oobr.out -v
icmp6_nodeinfo_oobr icmp6_nodeinfo_oobr.pcap icmp6_nodeinfo_oobr.out

# bad packets from Henri Salo
rx_ubik-oobr rx_ubik-oobr.pcap rx_ubik-oobr.out -c1

# RTP tests
# fuzzed pcap
rtp-seg-fault-1 rtp-seg-fault-1.pcap rtp-seg-fault-1.out -v -T rtp
Expand Down
1 change: 1 addition & 0 deletions tests/rx_ubik-oobr.out
@@ -0,0 +1 @@
IP truncated-ip - 2598 bytes missing! 222.241.104.198.3503 > 131.63.241.146.7002: rx data pt ubik call disk-lock tid 50266112.32382 file 2122216448 pos 545160708 length 1087685554 [|ubik] (2632)
Binary file added tests/rx_ubik-oobr.pcap
Binary file not shown.

0 comments on commit aa08581

Please sign in to comment.