Skip to content

Commit b8e559a

Browse files
fxlbinfrastation
authored andcommitted
CVE-2017-13023/IPv6 mobility: Add a bounds check before fetching data
This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s), modified so the capture file won't cause 'tcpdump: pcap_loop: truncated dump file'
1 parent eee0b04 commit b8e559a

File tree

4 files changed

+4
-0
lines changed

4 files changed

+4
-0
lines changed

Diff for: print-mobility.c

+1
Original file line numberDiff line numberDiff line change
@@ -150,6 +150,7 @@ mobility_opt_print(netdissect_options *ndo,
150150
goto trunc;
151151
}
152152
/* units of 4 secs */
153+
ND_TCHECK_16BITS(&bp[i+2]);
153154
ND_PRINT((ndo, "(refresh: %u)",
154155
EXTRACT_16BITS(&bp[i+2]) << 2));
155156
break;

Diff for: tests/TESTLIST

+1
Original file line numberDiff line numberDiff line change
@@ -524,6 +524,7 @@ pgm_opts_asan_2 pgm_opts_asan_2.pcap pgm_opts_asan_2.out -v
524524
vtp_asan vtp_asan.pcap vtp_asan.out -v
525525
icmp6_mobileprefix_asan icmp6_mobileprefix_asan.pcap icmp6_mobileprefix_asan.out -v
526526
ip_printroute_asan ip_printroute_asan.pcap ip_printroute_asan.out -v
527+
mobility_opt_asan mobility_opt_asan.pcap mobility_opt_asan.out -v
527528

528529
# RTP tests
529530
# fuzzed pcap

Diff for: tests/mobility_opt_asan.out

+2
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
IP6 (class 0x50, flowlabel 0x00004, hlim 0, next-header Mobile IP (old) (62) payload length: 7168) d400:7fa1:0:400::6238:2949 > 9675:86dd:7300:2c:1c7f:ffff:ffc3:b2a1: mobility: BU seq#=116 A lifetime=15872(pad1)[|MOBILITY]
2+
IP6 (class 0x50, flowlabel 0x00004, hlim 0, next-header Mobile IP (old) (62) payload length: 7168) d4c3:b2a1:200:400::6238:2949 > 9675:86dd:73f0:2c:1c7f:ffff:ebc3:b291: mobility: BU seq#=116 A lifetime=15360[|MOBILITY]

Diff for: tests/mobility_opt_asan.pcap

256 Bytes
Binary file not shown.

0 commit comments

Comments
 (0)