(for 4.9.3) CVE-2018-14468/FRF.16: Add a missing length check.

The specification says in a well-formed Magic Number information element the data is exactly 4 bytes long. In mfr_print() check this before trying to read those 4 bytes. This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s).
the-tcpdump-group · Aug 18, 2019 · aa3e54f · aa3e54f
1 parent 05a303c
commit aa3e54f
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 0 deletions.
diff --git a/print-fr.c b/print-fr.c
@@ -493,6 +493,11 @@ mfr_print(netdissect_options *ndo,
             switch (ie_type) {
 
             case MFR_CTRL_IE_MAGIC_NUM:
+                /* FRF.16.1 Section 3.4.3 Magic Number Information Element */
+                if (ie_len != 4) {
+                    ND_PRINT((ndo, "(invalid length)"));
+                    break;
+                }
                 ND_PRINT((ndo, "0x%08x", EXTRACT_32BITS(tptr)));
                 break;
 

diff --git a/tests/TESTLIST b/tests/TESTLIST
@@ -572,6 +572,7 @@ olsr-oobr-2		olsr-oobr-2.pcap		olsr-oobr-2.out	-v
 ikev1_id_ipv6_addr_subnet-oobr	ikev1_id_ipv6_addr_subnet-oobr.pcap	ikev1_id_ipv6_addr_subnet-oobr.out	-v
 isakmp-various-oobr	isakmp-various-oobr.pcap	isakmp-various-oobr.out	-v
 aoe-oobr-1		aoe-oobr-1.pcap			aoe-oobr-1.out	-v -c1
+frf16_magic_ie-oobr	frf16_magic_ie-oobr.pcap	frf16_magic_ie-oobr.out	-v -c1
 
 # bad packets from Katie Holly
 mlppp-oobr		mlppp-oobr.pcap			mlppp-oobr.out

diff --git a/tests/frf16_magic_ie-oobr.out b/tests/frf16_magic_ie-oobr.out
@@ -0,0 +1,2 @@
+FRF.16 Control, Flags [Begin, End, Control], Unknown Message (0x00), length 3714318497
+	IE Magic Number (3), length 3: (invalid length)[|mfr]
diff --git a/tests/frf16_magic_ie-oobr.pcap b/tests/frf16_magic_ie-oobr.pcap