Skip to content

Commit

Permalink
(for 4.9.3) CVE-2018-14465/RSVP: Add a missing bounds check
Browse files Browse the repository at this point in the history 
In rsvp_obj_print().

This fixes a buffer over-read discovered by Bhargava Shastry.

Add a test using the capture file supplied by the reporter(s).
  • Loading branch information
@fxlb
fxlb committed Aug 18, 2019
1 parent 1a1bce0 commit bea2686
Show file tree
Hide file tree
Showing 4 changed files with 9 additions and 0 deletions.
1 change: 1 addition & 0 deletions print-rsvp.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1555,6 +1555,7 @@ rsvp_obj_print(netdissect_options *ndo,
case RSVP_OBJ_CLASSTYPE_OLD: /* fall through */
switch(rsvp_obj_ctype) {
case RSVP_CTYPE_1:
ND_TCHECK_32BITS(obj_tptr);
ND_PRINT((ndo, "%s CT: %u",
ident,
EXTRACT_32BITS(obj_tptr) & 0x7));
Expand Down
1 change: 1 addition & 0 deletions tests/TESTLIST
View file
Original file line number Diff line number Diff line change
Expand Up @@ -555,6 +555,7 @@ isakmp-ikev1_n_print-oobr isakmp-ikev1_n_print-oobr.pcap isakmp-ikev1_n_print-oo
ldp-ldp_tlv_print-oobr ldp-ldp_tlv_print-oobr.pcap ldp-ldp_tlv_print-oobr.out -v -c1
icmp-icmp_print-oobr-1 icmp-icmp_print-oobr-1.pcap icmp-icmp_print-oobr-1.out -v -c3
icmp-icmp_print-oobr-2 icmp-icmp_print-oobr-2.pcap icmp-icmp_print-oobr-2.out -v -c3
rsvp-rsvp_obj_print-oobr rsvp-rsvp_obj_print-oobr.pcap rsvp-rsvp_obj_print-oobr.out -v -c3
# The .pcap file is truncated after the 1st packet.
hncp_dhcpv6data-oobr hncp_dhcpv6data-oobr.pcap hncp_dhcpv6data-oobr.out -v -c1
hncp_dhcpv4data-oobr hncp_dhcpv4data-oobr.pcap hncp_dhcpv4data-oobr.out -v -c1
Expand Down
7 changes: 7 additions & 0 deletions tests/rsvp-rsvp_obj_print-oobr.out
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
TIPC v5.0 226.0.0 > 64.14.1536, headerlength 56 bytes, MessageSize 51914 bytes, Link Changeover Protocol internal, messageType Unknown (0xcacacaca)[|TIPC]
[|ether]
IP (tos 0x0, ttl 14, id 44815, offset 0, flags [+, DF, rsvd], proto RSVP (46), length 40, bad cksum 3280 (->c411)!)
250.219.91.71 > 20.100.238.255:
RSVPv1 Hello Message (20), Flags: [none], length: 16384, ttl: 0, checksum: 0x000e
Class Type (old) Object (125) Flags: [reject if unknown], Class-Type: 1 (1), length: 4
[|rsvp]
Binary file added tests/rsvp-rsvp_obj_print-oobr.pcap
View file
Binary file not shown.

0 comments on commit bea2686

Please sign in to comment.