CVE-2017-13023/IPv6 mobility: Add a bounds check before fetching data

This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s), modified so the capture file won't cause 'tcpdump: pcap_loop: truncated dump file'
the-tcpdump-group · Sep 13, 2017 · b8e559a · b8e559a
1 parent eee0b04
commit b8e559a
Show file tree

Hide file tree

Showing 4 changed files with 4 additions and 0 deletions.
diff --git a/print-mobility.c b/print-mobility.c
@@ -150,6 +150,7 @@ mobility_opt_print(netdissect_options *ndo,
 				goto trunc;
 			}
 			/* units of 4 secs */
+			ND_TCHECK_16BITS(&bp[i+2]);
 			ND_PRINT((ndo, "(refresh: %u)",
 				EXTRACT_16BITS(&bp[i+2]) << 2));
 			break;

diff --git a/tests/TESTLIST b/tests/TESTLIST
@@ -524,6 +524,7 @@ pgm_opts_asan_2		pgm_opts_asan_2.pcap		pgm_opts_asan_2.out	-v
 vtp_asan		vtp_asan.pcap			vtp_asan.out	-v
 icmp6_mobileprefix_asan	icmp6_mobileprefix_asan.pcap	icmp6_mobileprefix_asan.out	-v
 ip_printroute_asan	ip_printroute_asan.pcap		ip_printroute_asan.out	-v
+mobility_opt_asan	mobility_opt_asan.pcap		mobility_opt_asan.out	-v
 
 # RTP tests
 # fuzzed pcap

diff --git a/tests/mobility_opt_asan.out b/tests/mobility_opt_asan.out
@@ -0,0 +1,2 @@
+IP6 (class 0x50, flowlabel 0x00004, hlim 0, next-header Mobile IP (old) (62) payload length: 7168) d400:7fa1:0:400::6238:2949 > 9675:86dd:7300:2c:1c7f:ffff:ffc3:b2a1: mobility: BU seq#=116 A lifetime=15872(pad1)[|MOBILITY]
+IP6 (class 0x50, flowlabel 0x00004, hlim 0, next-header Mobile IP (old) (62) payload length: 7168) d4c3:b2a1:200:400::6238:2949 > 9675:86dd:73f0:2c:1c7f:ffff:ebc3:b291: mobility: BU seq#=116 A lifetime=15360[|MOBILITY]
diff --git a/tests/mobility_opt_asan.pcap b/tests/mobility_opt_asan.pcap