(for 4.9.3) CVE-2018-14461/LDP: Fix a bounds check

In ldp_tlv_print(), the FT Session TLV length must be 12, not 8 (RFC3479) This fixes a buffer over-read discovered by Konrad Rieck and Bhargava Shastry. Add a test using the capture file supplied by the reporter(s). Moreover: Add and use tstr[]. Add a comment.
the-tcpdump-group · Aug 18, 2019 · aa5c6b7 · aa5c6b7
1 parent 396e94f
commit aa5c6b7
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 3 deletions.
diff --git a/print-ldp.c b/print-ldp.c
@@ -29,6 +29,8 @@
 #include "l2vpn.h"
 #include "af.h"
 
+static const char tstr[] = " [|LDP]";
+
 /*
  * ldp common header
  *
@@ -486,14 +488,15 @@ ldp_tlv_print(netdissect_options *ndo,
 	break;
 
     case LDP_TLV_FT_SESSION:
-	TLV_TCHECK(8);
+	TLV_TCHECK(12);
 	ft_flags = EXTRACT_16BITS(tptr);
 	ND_PRINT((ndo, "\n\t      Flags: [%sReconnect, %sSave State, %sAll-Label Protection, %s Checkpoint, %sRe-Learn State]",
 	       ft_flags&0x8000 ? "" : "No ",
 	       ft_flags&0x8 ? "" : "Don't ",
 	       ft_flags&0x4 ? "" : "No ",
 	       ft_flags&0x2 ? "Sequence Numbered Label" : "All Labels",
 	       ft_flags&0x1 ? "" : "Don't "));
+	/* 16 bits (FT Flags) + 16 bits (Reserved) */
 	tptr+=4;
 	ui = EXTRACT_32BITS(tptr);
 	if (ui)
@@ -534,7 +537,7 @@ ldp_tlv_print(netdissect_options *ndo,
     return(tlv_len+4); /* Type & Length fields not included */
 
 trunc:
-    ND_PRINT((ndo, "\n\t\t packet exceeded snapshot"));
+    ND_PRINT((ndo, "%s", tstr));
     return 0;
 
 badtlv:
@@ -692,7 +695,7 @@ ldp_pdu_print(netdissect_options *ndo,
     }
     return pdu_len+4;
 trunc:
-    ND_PRINT((ndo, "\n\t\t packet exceeded snapshot"));
+    ND_PRINT((ndo, "%s", tstr));
     return 0;
 }
 

diff --git a/tests/TESTLIST b/tests/TESTLIST
@@ -552,6 +552,7 @@ ospf6_decode_v3_asan	ospf6_decode_v3_asan.pcap	ospf6_decode_v3_asan.out -v
 ip_ts_opts_asan		ip_ts_opts_asan.pcap		ip_ts_opts_asan.out	-v
 isakmpv1-attr-oobr	isakmpv1-attr-oobr.pcap		isakmpv1-attr-oobr.out	-v
 isakmp-ikev1_n_print-oobr isakmp-ikev1_n_print-oobr.pcap isakmp-ikev1_n_print-oobr.out -v -c3
+ldp-ldp_tlv_print-oobr ldp-ldp_tlv_print-oobr.pcap ldp-ldp_tlv_print-oobr.out -v -c1
 # The .pcap file is truncated after the 1st packet.
 hncp_dhcpv6data-oobr	hncp_dhcpv6data-oobr.pcap	hncp_dhcpv6data-oobr.out -v -c1
 hncp_dhcpv4data-oobr	hncp_dhcpv4data-oobr.pcap	hncp_dhcpv4data-oobr.out -v -c1

diff --git a/tests/ldp-ldp_tlv_print-oobr.out b/tests/ldp-ldp_tlv_print-oobr.out
@@ -0,0 +1,6 @@
+IP (tos 0x0, id 4608, offset 0, flags [+, DF, rsvd], proto UDP (17), length 25600, options (EOL), bad cksum 8e (->4023)!)
+    24.250.219.0.4098 > 0.0.0.0.646: 
+	LDP, Label-Space-ID: 0.0.127.255:796, pdu-length: 514
+	  Address Withdraw Message (0x0301), length: 22, Message ID: 0x00001600, Flags: [ignore if unknown]
+	    Unknown TLV (0x0404), length: 0, Flags: [ignore and don't forward if unknown]
+	    Fault-Tolerant Session Parameters TLV (0x0503), length: 8, Flags: [ignore and don't forward if unknown] [|LDP] [|LDP]
diff --git a/tests/ldp-ldp_tlv_print-oobr.pcap b/tests/ldp-ldp_tlv_print-oobr.pcap