Permalink
Browse files

CVE-2017-13049/Rx: add a missing bounds check for Ubik

One of the case blocks in ubik_print() didn't check bounds before
fetching 32 bits of packet data and could overread past the captured
packet data by that amount.

This fixes a buffer over-read discovered by Henri Salo from Nixu
Corporation.

Add a test using the capture file supplied by the reporter(s).
  • Loading branch information...
infrastation committed Aug 4, 2017
1 parent d515b4b commit aa0858100096a3490edf93034a80e66a4d61aad5
Showing with 5 additions and 0 deletions.
  1. +1 −0 print-rx.c
  2. +3 −0 tests/TESTLIST
  3. +1 −0 tests/rx_ubik-oobr.out
  4. BIN tests/rx_ubik-oobr.pcap
View
@@ -2577,6 +2577,7 @@ ubik_print(netdissect_options *ndo,
INTOUT();
ND_PRINT((ndo, " length"));
INTOUT();
ND_TCHECK_32BITS(bp);
temp = EXTRACT_32BITS(bp);
bp += sizeof(int32_t);
tok2str(ubik_lock_types, "type %d", temp);
View
@@ -573,6 +573,9 @@ mlppp-oobr mlppp-oobr.pcap mlppp-oobr.out
mptcp-dss-oobr mptcp-dss-oobr.pcap mptcp-dss-oobr.out -v
icmp6_nodeinfo_oobr icmp6_nodeinfo_oobr.pcap icmp6_nodeinfo_oobr.out
# bad packets from Henri Salo
rx_ubik-oobr rx_ubik-oobr.pcap rx_ubik-oobr.out -c1
# RTP tests
# fuzzed pcap
rtp-seg-fault-1 rtp-seg-fault-1.pcap rtp-seg-fault-1.out -v -T rtp
View
@@ -0,0 +1 @@
IP truncated-ip - 2598 bytes missing! 222.241.104.198.3503 > 131.63.241.146.7002: rx data pt ubik call disk-lock tid 50266112.32382 file 2122216448 pos 545160708 length 1087685554 [|ubik] (2632)
View
Binary file not shown.

0 comments on commit aa08581

Please sign in to comment.