Skip to content
Permalink
Browse files Browse the repository at this point in the history
CVE-2017-13026/IS-IS: Clean up processing of subTLVs.
Add bounds checks, do a common check to make sure we captured the entire
subTLV, add checks to make sure the subTLV fits within the TLV.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add tests using the capture files supplied by the reporter(s), modified
so the capture files won't be rejected as an invalid capture.

Update existing tests for changes to IS-IS dissector.
  • Loading branch information
guyharris authored and infrastation committed Sep 13, 2017
1 parent 2e1f6d9 commit b20e163
Show file tree
Hide file tree
Showing 13 changed files with 145 additions and 246 deletions.
52 changes: 37 additions & 15 deletions print-isoclns.c
Expand Up @@ -1403,6 +1403,7 @@ isis_print_mt_port_cap_subtlv(netdissect_options *ndo,

while (len > 2)
{
ND_TCHECK2(*tptr, 2);
stlv_type = *(tptr++);
stlv_len = *(tptr++);

Expand All @@ -1415,11 +1416,18 @@ isis_print_mt_port_cap_subtlv(netdissect_options *ndo,
/*len -= TLV_TYPE_LEN_OFFSET;*/
len = len -2;

/* Make sure the subTLV fits within the space left */
if (len < stlv_len)
goto trunc;
/* Make sure the entire subTLV is in the captured data */
ND_TCHECK2(*(tptr), stlv_len);

switch (stlv_type)
{
case ISIS_SUBTLV_SPB_MCID:
{
ND_TCHECK2(*(tptr), ISIS_SUBTLV_SPB_MCID_MIN_LEN);
if (stlv_len < ISIS_SUBTLV_SPB_MCID_MIN_LEN)
goto trunc;

subtlv_spb_mcid = (const struct isis_subtlv_spb_mcid *)tptr;

Expand All @@ -1434,15 +1442,17 @@ isis_print_mt_port_cap_subtlv(netdissect_options *ndo,

/*tptr += SPB_MCID_MIN_LEN;
len -= SPB_MCID_MIN_LEN; */
tptr = tptr + sizeof(struct isis_subtlv_spb_mcid);
len = len - sizeof(struct isis_subtlv_spb_mcid);
tptr = tptr + ISIS_SUBTLV_SPB_MCID_MIN_LEN;
len = len - ISIS_SUBTLV_SPB_MCID_MIN_LEN;
stlv_len = stlv_len - ISIS_SUBTLV_SPB_MCID_MIN_LEN;

break;
}

case ISIS_SUBTLV_SPB_DIGEST:
{
ND_TCHECK2(*(tptr), ISIS_SUBTLV_SPB_DIGEST_MIN_LEN);
if (stlv_len < ISIS_SUBTLV_SPB_DIGEST_MIN_LEN)
goto trunc;

ND_PRINT((ndo, "\n\t RES: %d V: %d A: %d D: %d",
(*(tptr) >> 5), (((*tptr)>> 4) & 0x01),
Expand All @@ -1461,18 +1471,15 @@ isis_print_mt_port_cap_subtlv(netdissect_options *ndo,
}

len = len - ISIS_SUBTLV_SPB_DIGEST_MIN_LEN;
stlv_len = stlv_len - ISIS_SUBTLV_SPB_DIGEST_MIN_LEN;

break;
}

case ISIS_SUBTLV_SPB_BVID:
{
ND_TCHECK2(*(tptr), stlv_len);

while (len >= ISIS_SUBTLV_SPB_BVID_MIN_LEN)
while (stlv_len >= ISIS_SUBTLV_SPB_BVID_MIN_LEN)
{
ND_TCHECK2(*(tptr), ISIS_SUBTLV_SPB_BVID_MIN_LEN);

ND_PRINT((ndo, "\n\t ECT: %08x",
EXTRACT_32BITS(tptr)));

Expand All @@ -1485,14 +1492,17 @@ isis_print_mt_port_cap_subtlv(netdissect_options *ndo,

tptr = tptr + 2;
len = len - ISIS_SUBTLV_SPB_BVID_MIN_LEN;
stlv_len = stlv_len - ISIS_SUBTLV_SPB_BVID_MIN_LEN;
}

break;
}

default:
break;
break;
}
tptr += stlv_len;
len -= stlv_len;
}

return 0;
Expand All @@ -1511,6 +1521,7 @@ isis_print_mt_capability_subtlv(netdissect_options *ndo,

while (len > 2)
{
ND_TCHECK2(*tptr, 2);
stlv_type = *(tptr++);
stlv_len = *(tptr++);

Expand All @@ -1522,11 +1533,17 @@ isis_print_mt_capability_subtlv(netdissect_options *ndo,

len = len - 2;

/* Make sure the subTLV fits within the space left */
if (len < stlv_len)
goto trunc;
/* Make sure the entire subTLV is in the captured data */
ND_TCHECK2(*(tptr), stlv_len);

switch (stlv_type)
{
case ISIS_SUBTLV_SPB_INSTANCE:

ND_TCHECK2(*tptr, ISIS_SUBTLV_SPB_INSTANCE_MIN_LEN);
if (stlv_len < ISIS_SUBTLV_SPB_INSTANCE_MIN_LEN)
goto trunc;

ND_PRINT((ndo, "\n\t CIST Root-ID: %08x", EXTRACT_32BITS(tptr)));
tptr = tptr+4;
Expand All @@ -1548,10 +1565,12 @@ isis_print_mt_capability_subtlv(netdissect_options *ndo,
tmp = *(tptr++);

len = len - ISIS_SUBTLV_SPB_INSTANCE_MIN_LEN;
stlv_len = stlv_len - ISIS_SUBTLV_SPB_INSTANCE_MIN_LEN;

while (tmp)
{
ND_TCHECK2(*tptr, ISIS_SUBTLV_SPB_INSTANCE_VLAN_TUPLE_LEN);
if (stlv_len < ISIS_SUBTLV_SPB_INSTANCE_VLAN_TUPLE_LEN)
goto trunc;

ND_PRINT((ndo, "\n\t U:%d, M:%d, A:%d, RES:%d",
*(tptr) >> 7, (*(tptr) >> 6) & 0x01,
Expand All @@ -1569,14 +1588,15 @@ isis_print_mt_capability_subtlv(netdissect_options *ndo,

tptr = tptr + 3;
len = len - ISIS_SUBTLV_SPB_INSTANCE_VLAN_TUPLE_LEN;
stlv_len = stlv_len - ISIS_SUBTLV_SPB_INSTANCE_VLAN_TUPLE_LEN;
tmp--;
}

break;

case ISIS_SUBTLV_SPBM_SI:

ND_TCHECK2(*tptr, 8);
if (stlv_len < 8)
goto trunc;

ND_PRINT((ndo, "\n\t BMAC: %08x", EXTRACT_32BITS(tptr)));
tptr = tptr+4;
Expand Down Expand Up @@ -1608,6 +1628,8 @@ isis_print_mt_capability_subtlv(netdissect_options *ndo,
default:
break;
}
tptr += stlv_len;
len -= stlv_len;
}
return 0;

Expand Down
4 changes: 4 additions & 0 deletions tests/TESTLIST
Expand Up @@ -528,6 +528,10 @@ mobility_opt_asan mobility_opt_asan.pcap mobility_opt_asan.out -v
mobility_opt_asan_2 mobility_opt_asan_2.pcap mobility_opt_asan_2.out -v
mobility_opt_asan_3 mobility_opt_asan_3.pcap mobility_opt_asan_3.out -v
mobility_opt_asan_4 mobility_opt_asan_4.pcap mobility_opt_asan_4.out -v
isis_stlv_asan isis_stlv_asan.pcap isis_stlv_asan.out -v
isis_stlv_asan-2 isis_stlv_asan-2.pcap isis_stlv_asan-2.out -v
isis_stlv_asan-3 isis_stlv_asan-3.pcap isis_stlv_asan-3.out -v
isis_stlv_asan-4 isis_stlv_asan-4.pcap isis_stlv_asan-4.out -v

# RTP tests
# fuzzed pcap
Expand Down
17 changes: 1 addition & 16 deletions tests/isis-extd-ipreach-oobr.out
Expand Up @@ -24,22 +24,7 @@
AUX-MCID: ID: 69, Name: EIEEEIEEEIEEEIEEEIEEEIEEEIEEEIEE
Lvl: 17737, Digest: 45 45 45 49 45 45 45 49 45 45 45 49 45 45 45 49 [|isis]
unknown subTLV #69, length: 69
unknown subTLV #69, length: 73
unknown subTLV #69, length: 69
unknown subTLV #69, length: 73
unknown subTLV #69, length: 69
unknown subTLV #69, length: 73
unknown subTLV #69, length: 69
unknown subTLV #69, length: 73
unknown subTLV #69, length: 69
unknown subTLV #69, length: 73
unknown subTLV #69, length: 69
unknown subTLV #69, length: 73
unknown subTLV #69, length: 69
unknown subTLV #69, length: 73
unknown subTLV #69, length: 69
unknown subTLV #69, length: 73
unknown subTLV #69, length: 69
[|isis]
0x0000: 0000 0466 0049 4545 4549 4545 4549 4545
0x0010: 4549 4545 4549 4545 4549 4545 4549 4545
0x0020: 4549 4545 4549 4545 4549 4545 4549 4545
Expand Down
120 changes: 4 additions & 116 deletions tests/isis-seg-fault-2-v.out
Expand Up @@ -5,129 +5,17 @@ IS-IS, length 1497
Multi-Topology Capability TLV #144, length: 1
O: 1, RES: 4, MTID(s): 3073
unknown subTLV #4, length: 3
unknown subTLV #73, length: 0
unknown subTLV #10, length: 132
unknown subTLV #4, length: 10
unknown subTLV #0, length: 10
unknown subTLV #0, length: 55
SPBM Service Identifier and Unicast Address subTLV #3, length: 0
BMAC: 00000606c201, RES: 2, VID: 2456
unknown subTLV #204, length: 83
unknown subTLV #132, length: 4
unknown subTLV #55, length: 3
unknown subTLV #6, length: 6
unknown subTLV #8, length: 191
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #82, length: 0
unknown subTLV #0, length: 86
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #37, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 37
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 108
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #37, length: 0
unknown subTLV #48, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #37, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #172, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #76, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 90
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 90
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #37, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 107
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 37
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #2, length: 0
unknown subTLV #0, length: 0
unknown subTLV #37, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 92
unknown subTLV #0, length: 0
unknown subTLV #113, length: 90
unknown subTLV #0, length: 230
unknown subTLV #0, length: 0
unknown subTLV #79, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #234, length: 0
unknown subTLV #0, length: 0
unknown subTLV #64, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #37, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #37, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
unknown subTLV #2, length: 0
unknown subTLV #0, length: 0
unknown subTLV #0, length: 0
[|isis]
Area address(es) TLV #1, length: 4
Area address (length: 3): 49.000a
IPv4 Interface address(es) TLV #132, length: 4
Expand Down
22 changes: 22 additions & 0 deletions tests/isis_stlv_asan-2.out
@@ -0,0 +1,22 @@
UI 22! IS-IS, length 469869187
L2 Lan IIH, hlen: 27, v: 1, pdu-v: 1, sys-id-len: 6 (0), max-area: 224 (224)
source-id: fed0.f90f.58af, holding time: 34047s, Flags: [unknown circuit type 0x00]
lan-id: 0100.0088.a201.1c, Priority: 65, PDU length: 4096
unknown TLV #0, length: 12
0x0000: 0722 0583 1b01 0010 0505 0505
Area address(es) TLV #1, length: 157
IS Reachability TLV #2, length: 2
bogus virtual flag 0x02
IS Reachability TLV #2, length: 2
bogus virtual flag 0x02
IS Reachability TLV #2, length: 2
bogus virtual flag 0x90
Multi-Topology Capability TLV #144, length: 144
O: 1, RES: 1, MTID(s): 144
unknown subTLV #144, length: 2
unknown subTLV #2, length: 0
unknown subTLV #16, length: 1
unknown subTLV #224, length: 0
unknown subTLV #59, length: 0
unknown subTLV #5, length: 166
[|isis] [|isis]
Binary file added tests/isis_stlv_asan-2.pcap
Binary file not shown.
23 changes: 23 additions & 0 deletions tests/isis_stlv_asan-3.out
@@ -0,0 +1,23 @@
UI 22! IS-IS, length 469869187
L2 Lan IIH, hlen: 27, v: 1, pdu-v: 1, sys-id-len: 6 (0), max-area: 224 (224)
source-id: fed0.f90f.58af, holding time: 34047s, Flags: [unknown circuit type 0x00]
lan-id: 0100.0088.a201.1c, Priority: 65, PDU length: 4096
unknown TLV #0, length: 12
0x0000: 0722 0583 1b01 0010 019d e000
unknown TLV #254, length: 0
Prefix Neighbors TLV #5, length: 146
Metric Block, Default Metric: 32, Internal
Expense Metric: 0, Internal
Error Metric: 0, Internal
Address: 88.99ff.ffff.7fb5.0000/76
Address: isonsap_string: illegal length/948
Address: 95/8
Address: 02/8
Address: 02/8
Address: 02/8
Address: 90/8
Multi-Topology Capability TLV #144, length: 144
O: 1, RES: 1, MTID(s): 0
unknown subTLV #107, length: 0
unknown subTLV #0, length: 208
[|isis] [|isis]
Binary file added tests/isis_stlv_asan-3.pcap
Binary file not shown.

0 comments on commit b20e163

Please sign in to comment.