Skip to content

Commit aa3e54f

Browse files
infrastationfxlb
authored andcommitted
(for 4.9.3) CVE-2018-14468/FRF.16: Add a missing length check.
The specification says in a well-formed Magic Number information element the data is exactly 4 bytes long. In mfr_print() check this before trying to read those 4 bytes. This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s).
1 parent 05a303c commit aa3e54f

File tree

4 files changed

+8
-0
lines changed

4 files changed

+8
-0
lines changed

Diff for: print-fr.c

+5
Original file line numberDiff line numberDiff line change
@@ -493,6 +493,11 @@ mfr_print(netdissect_options *ndo,
493493
switch (ie_type) {
494494

495495
case MFR_CTRL_IE_MAGIC_NUM:
496+
/* FRF.16.1 Section 3.4.3 Magic Number Information Element */
497+
if (ie_len != 4) {
498+
ND_PRINT((ndo, "(invalid length)"));
499+
break;
500+
}
496501
ND_PRINT((ndo, "0x%08x", EXTRACT_32BITS(tptr)));
497502
break;
498503

Diff for: tests/TESTLIST

+1
Original file line numberDiff line numberDiff line change
@@ -572,6 +572,7 @@ olsr-oobr-2 olsr-oobr-2.pcap olsr-oobr-2.out -v
572572
ikev1_id_ipv6_addr_subnet-oobr ikev1_id_ipv6_addr_subnet-oobr.pcap ikev1_id_ipv6_addr_subnet-oobr.out -v
573573
isakmp-various-oobr isakmp-various-oobr.pcap isakmp-various-oobr.out -v
574574
aoe-oobr-1 aoe-oobr-1.pcap aoe-oobr-1.out -v -c1
575+
frf16_magic_ie-oobr frf16_magic_ie-oobr.pcap frf16_magic_ie-oobr.out -v -c1
575576

576577
# bad packets from Katie Holly
577578
mlppp-oobr mlppp-oobr.pcap mlppp-oobr.out

Diff for: tests/frf16_magic_ie-oobr.out

+2
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
FRF.16 Control, Flags [Begin, End, Control], Unknown Message (0x00), length 3714318497
2+
IE Magic Number (3), length 3: (invalid length)[|mfr]

Diff for: tests/frf16_magic_ie-oobr.pcap

124 Bytes
Binary file not shown.

0 commit comments

Comments
 (0)