Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
CVE-2017-13033/VTP: Add more bound and length checks.
This fixes a buffer over-read discovered by Bhargava Shastry. Add a test using the capture file supplied by the reporter(s), modified so the capture file won't be rejected as an invalid capture. Update another VTP test's .out file for this change. Don't treate a TLV type or length of 0 as invalid; a type of 0 should just be reported as illegal if that type isn't used, and the length is the length of the *value*, not the length of the entire TLV, so if it's zero there won't be an infinite loop. (It's still not *legal*, as the values of all the TLVs we handle are 1 16-bit word long; we added a check for that.) Update some comments while we're at it, to give a new URL for one Cisco page and a non-Cisco URL for another former Cisco page (Cisco's UniverCD pages don't seem to be available any more, and Cisco's robots.txt file didn't allow the Wayback Machine to archive it).
- Loading branch information
1 parent
e0d8ee5
commit ae83295
Showing
5 changed files
with
84 additions
and
64 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,2 @@ | ||
FRF.16 Frag, seq 193, Flags [Begin, End], UI 08! VTPv69, Message Subset advertisement (0x02), length 2126400013 | ||
Domain name: , Seq number: 0, Config Rev fb499603 | ||
VLAN info status Unknown, type TrCRF, VLAN-id 256, MTU 771, SAID 0x03030303, Name ^C^I^C[|vtp] | ||
Domain name: , Seq number: 0, Config Rev fb499603[|vtp] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
FRF.16 Frag, seq 193, Flags [Begin, End], UI 08! VTPv69, Message Subset advertisement (0x02), length 2126400013 | ||
Domain name: , Seq number: 0, Config Rev 4040404[|vtp] |
Binary file not shown.