Skip to content

Commit b534e30

Browse files
guyharrisinfrastation
authored andcommitted
CVE-2017-12993/Juniper: Add more bounds checks.
This fixes a buffer over-read discovered by Kamil Frankowicz. Add tests using the capture files supplied by the reporter(s).
1 parent d3aae71 commit b534e30

8 files changed

+44
-0
lines changed

Diff for: print-juniper.c

+38
Original file line numberDiff line numberDiff line change
@@ -472,6 +472,7 @@ juniper_ggsn_print(netdissect_options *ndo,
472472
p+=l2info.header_len;
473473
gh = (struct juniper_ggsn_header *)&l2info.cookie;
474474

475+
ND_TCHECK(*gh);
475476
if (ndo->ndo_eflag) {
476477
ND_PRINT((ndo, "proto %s (%u), vlan %u: ",
477478
tok2str(juniper_protocol_values,"Unknown",gh->proto),
@@ -492,6 +493,10 @@ juniper_ggsn_print(netdissect_options *ndo,
492493
}
493494

494495
return l2info.header_len;
496+
497+
trunc:
498+
ND_PRINT((ndo, "[|juniper_services]"));
499+
return l2info.header_len;
495500
}
496501
#endif
497502

@@ -519,6 +524,7 @@ juniper_es_print(netdissect_options *ndo,
519524
p+=l2info.header_len;
520525
ih = (const struct juniper_ipsec_header *)p;
521526

527+
ND_TCHECK(*ih);
522528
switch (ih->type) {
523529
case JUNIPER_IPSEC_O_ESP_ENCRYPT_ESP_AUTHEN_TYPE:
524530
case JUNIPER_IPSEC_O_ESP_ENCRYPT_AH_AUTHEN_TYPE:
@@ -564,6 +570,10 @@ juniper_es_print(netdissect_options *ndo,
564570

565571
ip_print(ndo, p, l2info.length);
566572
return l2info.header_len;
573+
574+
trunc:
575+
ND_PRINT((ndo, "[|juniper_services]"));
576+
return l2info.header_len;
567577
}
568578
#endif
569579

@@ -588,6 +598,7 @@ juniper_monitor_print(netdissect_options *ndo,
588598
p+=l2info.header_len;
589599
mh = (const struct juniper_monitor_header *)p;
590600

601+
ND_TCHECK(*mh);
591602
if (ndo->ndo_eflag)
592603
ND_PRINT((ndo, "service-id %u, iif %u, pkt-type %u: ",
593604
EXTRACT_32BITS(&mh->service_id),
@@ -598,6 +609,10 @@ juniper_monitor_print(netdissect_options *ndo,
598609
ip_heuristic_guess (ndo, p, l2info.length);
599610

600611
return l2info.header_len;
612+
613+
trunc:
614+
ND_PRINT((ndo, "[|juniper_services]"));
615+
return l2info.header_len;
601616
}
602617
#endif
603618

@@ -622,6 +637,7 @@ juniper_services_print(netdissect_options *ndo,
622637
p+=l2info.header_len;
623638
sh = (const struct juniper_services_header *)p;
624639

640+
ND_TCHECK(*sh);
625641
if (ndo->ndo_eflag)
626642
ND_PRINT((ndo, "service-id %u flags 0x%02x service-set-id 0x%04x iif %u: ",
627643
sh->svc_id,
@@ -633,6 +649,10 @@ juniper_services_print(netdissect_options *ndo,
633649
ip_heuristic_guess (ndo, p, l2info.length);
634650

635651
return l2info.header_len;
652+
653+
trunc:
654+
ND_PRINT((ndo, "[|juniper_services]"));
655+
return l2info.header_len;
636656
}
637657
#endif
638658

@@ -740,6 +760,7 @@ juniper_pppoe_atm_print(netdissect_options *ndo,
740760

741761
p+=l2info.header_len;
742762

763+
ND_TCHECK2(p[0], 2);
743764
extracted_ethertype = EXTRACT_16BITS(p);
744765
/* this DLT contains nothing but raw PPPoE frames,
745766
* prepended with a type field*/
@@ -752,6 +773,10 @@ juniper_pppoe_atm_print(netdissect_options *ndo,
752773
ND_PRINT((ndo, "unknown ethertype 0x%04x", extracted_ethertype));
753774

754775
return l2info.header_len;
776+
777+
trunc:
778+
ND_PRINT((ndo, "[|juniper_pppoe_atm]"));
779+
return l2info.header_len;
755780
}
756781
#endif
757782

@@ -940,6 +965,7 @@ juniper_atm1_print(netdissect_options *ndo,
940965
return l2info.header_len;
941966
}
942967

968+
ND_TCHECK2(p[0], 3);
943969
if (EXTRACT_24BITS(p) == 0xfefe03 || /* NLPID encaps ? */
944970
EXTRACT_24BITS(p) == 0xaaaa03) { /* SNAP encaps ? */
945971

@@ -958,6 +984,10 @@ juniper_atm1_print(netdissect_options *ndo,
958984
return l2info.header_len;
959985

960986
return l2info.header_len;
987+
988+
trunc:
989+
ND_PRINT((ndo, "[|juniper_atm1]"));
990+
return l2info.header_len;
961991
}
962992
#endif
963993

@@ -989,6 +1019,7 @@ juniper_atm2_print(netdissect_options *ndo,
9891019
return l2info.header_len;
9901020
}
9911021

1022+
ND_TCHECK2(p[0], 3);
9921023
if (EXTRACT_24BITS(p) == 0xfefe03 || /* NLPID encaps ? */
9931024
EXTRACT_24BITS(p) == 0xaaaa03) { /* SNAP encaps ? */
9941025

@@ -1016,6 +1047,10 @@ juniper_atm2_print(netdissect_options *ndo,
10161047
return l2info.header_len;
10171048

10181049
return l2info.header_len;
1050+
1051+
trunc:
1052+
ND_PRINT((ndo, "[|juniper_atm2]"));
1053+
return l2info.header_len;
10191054
}
10201055
#endif
10211056

@@ -1280,6 +1315,7 @@ juniper_parse_header(netdissect_options *ndo,
12801315
l2info->caplen -= l2info->header_len;
12811316

12821317
/* search through the cookie table and copy values matching for our PIC type */
1318+
ND_TCHECK(p[0]);
12831319
while (lp->s != NULL) {
12841320
if (lp->pictype == l2info->pictype) {
12851321

@@ -1360,6 +1396,7 @@ juniper_parse_header(netdissect_options *ndo,
13601396
case DLT_JUNIPER_MLFR:
13611397
switch (l2info->cookie_type) {
13621398
case LS_COOKIE_ID:
1399+
ND_TCHECK2(p[0], 2);
13631400
l2info->bundle = l2info->cookie[1];
13641401
l2info->proto = EXTRACT_16BITS(p);
13651402
l2info->header_len += 2;
@@ -1383,6 +1420,7 @@ juniper_parse_header(netdissect_options *ndo,
13831420
case DLT_JUNIPER_MFR:
13841421
switch (l2info->cookie_type) {
13851422
case LS_COOKIE_ID:
1423+
ND_TCHECK2(p[0], 2);
13861424
l2info->bundle = l2info->cookie[1];
13871425
l2info->proto = EXTRACT_16BITS(p);
13881426
l2info->header_len += 2;

Diff for: tests/TESTLIST

+3
Original file line numberDiff line numberDiff line change
@@ -451,6 +451,9 @@ nfs-attr-oobr nfs-attr-oobr.pcap nfs-attr-oobr.out
451451
decnet-oobr decnet-oobr.pcap decnet-oobr.out
452452
oobr_parse_elements oobr_parse_elements.pcap oobr_parse_elements.out
453453
hoobr_ripng_print hoobr_ripng_print.pcap hoobr_ripng_print.out
454+
hoobr_juniper hoobr_juniper.pcap hoobr_juniper.out
455+
hoobr_juniper2 hoobr_juniper2.pcap hoobr_juniper2.out
456+
hoobr_juniper3 hoobr_juniper3.pcap hoobr_juniper3.out
454457

455458
# bad packets from Wilfried Kirsch
456459
slip-bad-direction slip-bad-direction.pcap slip-bad-direction.out -ve

Diff for: tests/hoobr_juniper.out

+1
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
[|juniper_hdr], length 808464432

Diff for: tests/hoobr_juniper.pcap

856 Bytes
Binary file not shown.

Diff for: tests/hoobr_juniper2.out

+1
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
[|juniper_atm1]

Diff for: tests/hoobr_juniper2.pcap

856 Bytes
Binary file not shown.

Diff for: tests/hoobr_juniper3.out

+1
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
Unknown Juniper DLT_ type 132: [|juniper_services]

Diff for: tests/hoobr_juniper3.pcap

856 Bytes
Binary file not shown.

0 commit comments

Comments
 (0)