Skip to content

Commit aa5c6b7

Browse files
committed
(for 4.9.3) CVE-2018-14461/LDP: Fix a bounds check
In ldp_tlv_print(), the FT Session TLV length must be 12, not 8 (RFC3479) This fixes a buffer over-read discovered by Konrad Rieck and Bhargava Shastry. Add a test using the capture file supplied by the reporter(s). Moreover: Add and use tstr[]. Add a comment.
1 parent 396e94f commit aa5c6b7

File tree

4 files changed

+13
-3
lines changed

4 files changed

+13
-3
lines changed

Diff for: print-ldp.c

+6-3
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,8 @@
2929
#include "l2vpn.h"
3030
#include "af.h"
3131

32+
static const char tstr[] = " [|LDP]";
33+
3234
/*
3335
* ldp common header
3436
*
@@ -486,14 +488,15 @@ ldp_tlv_print(netdissect_options *ndo,
486488
break;
487489

488490
case LDP_TLV_FT_SESSION:
489-
TLV_TCHECK(8);
491+
TLV_TCHECK(12);
490492
ft_flags = EXTRACT_16BITS(tptr);
491493
ND_PRINT((ndo, "\n\t Flags: [%sReconnect, %sSave State, %sAll-Label Protection, %s Checkpoint, %sRe-Learn State]",
492494
ft_flags&0x8000 ? "" : "No ",
493495
ft_flags&0x8 ? "" : "Don't ",
494496
ft_flags&0x4 ? "" : "No ",
495497
ft_flags&0x2 ? "Sequence Numbered Label" : "All Labels",
496498
ft_flags&0x1 ? "" : "Don't "));
499+
/* 16 bits (FT Flags) + 16 bits (Reserved) */
497500
tptr+=4;
498501
ui = EXTRACT_32BITS(tptr);
499502
if (ui)
@@ -534,7 +537,7 @@ ldp_tlv_print(netdissect_options *ndo,
534537
return(tlv_len+4); /* Type & Length fields not included */
535538

536539
trunc:
537-
ND_PRINT((ndo, "\n\t\t packet exceeded snapshot"));
540+
ND_PRINT((ndo, "%s", tstr));
538541
return 0;
539542

540543
badtlv:
@@ -692,7 +695,7 @@ ldp_pdu_print(netdissect_options *ndo,
692695
}
693696
return pdu_len+4;
694697
trunc:
695-
ND_PRINT((ndo, "\n\t\t packet exceeded snapshot"));
698+
ND_PRINT((ndo, "%s", tstr));
696699
return 0;
697700
}
698701

Diff for: tests/TESTLIST

+1
Original file line numberDiff line numberDiff line change
@@ -552,6 +552,7 @@ ospf6_decode_v3_asan ospf6_decode_v3_asan.pcap ospf6_decode_v3_asan.out -v
552552
ip_ts_opts_asan ip_ts_opts_asan.pcap ip_ts_opts_asan.out -v
553553
isakmpv1-attr-oobr isakmpv1-attr-oobr.pcap isakmpv1-attr-oobr.out -v
554554
isakmp-ikev1_n_print-oobr isakmp-ikev1_n_print-oobr.pcap isakmp-ikev1_n_print-oobr.out -v -c3
555+
ldp-ldp_tlv_print-oobr ldp-ldp_tlv_print-oobr.pcap ldp-ldp_tlv_print-oobr.out -v -c1
555556
# The .pcap file is truncated after the 1st packet.
556557
hncp_dhcpv6data-oobr hncp_dhcpv6data-oobr.pcap hncp_dhcpv6data-oobr.out -v -c1
557558
hncp_dhcpv4data-oobr hncp_dhcpv4data-oobr.pcap hncp_dhcpv4data-oobr.out -v -c1

Diff for: tests/ldp-ldp_tlv_print-oobr.out

+6
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
IP (tos 0x0, id 4608, offset 0, flags [+, DF, rsvd], proto UDP (17), length 25600, options (EOL), bad cksum 8e (->4023)!)
2+
24.250.219.0.4098 > 0.0.0.0.646:
3+
LDP, Label-Space-ID: 0.0.127.255:796, pdu-length: 514
4+
Address Withdraw Message (0x0301), length: 22, Message ID: 0x00001600, Flags: [ignore if unknown]
5+
Unknown TLV (0x0404), length: 0, Flags: [ignore and don't forward if unknown]
6+
Fault-Tolerant Session Parameters TLV (0x0503), length: 8, Flags: [ignore and don't forward if unknown] [|LDP] [|LDP]

Diff for: tests/ldp-ldp_tlv_print-oobr.pcap

395 Bytes
Binary file not shown.

0 commit comments

Comments
 (0)