CVE-2017-11542/PIMv1: Add a bounds check.

guyharris · infrastation · commit bed48062a64f · 2017-09-02T21:36:44.000+01:00
This fixes a buffer over-read discovered by Kamil Frankowicz.

Add a test using the capture file supplied by the reporter(s).
diff --git a/print-pim.c b/print-pim.c
@@ -306,6 +306,7 @@ pimv1_print(netdissect_options *ndo,
 			pimv1_join_prune_print(ndo, &bp[8], len - 8);
 		break;
 	}
+	ND_TCHECK(bp[4]);
 	if ((bp[4] >> 4) != 1)
 		ND_PRINT((ndo, " [v%d]", bp[4] >> 4));
 	return;
diff --git a/tests/TESTLIST b/tests/TESTLIST
@@ -439,6 +439,7 @@ snmp-heapoverflow-2	snmp-heapoverflow-2.pcap	snmp-heapoverflow-2.out
 isoclns-heapoverflow-2	isoclns-heapoverflow-2.pcap	isoclns-heapoverflow-2.out	-e -c1
 isoclns-heapoverflow-3	isoclns-heapoverflow-3.pcap	isoclns-heapoverflow-3.out	-e -c1
 stp-v4-length-sigsegv	stp-v4-length-sigsegv.pcap	stp-v4-length-sigsegv.out
+hoobr_pimv1		hoobr_pimv1.pcap		hoobr_pimv1.out
 
 # RTP tests
 # fuzzed pcap
diff --git a/tests/hoobr_pimv1.out b/tests/hoobr_pimv1.out
@@ -0,0 +1,25 @@
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+	0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0010:  3030 3030 3030 3030                      00000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+	0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0010:  3030 3030 3030 3030                      00000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+	0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0010:  3030 3030 3030 3030                      00000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+	0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0010:  3030 3030 3030 3030                      00000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+	0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0010:  3030 3030 3030 3030                      00000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+	0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0010:  3030 3030 3030 3030                      00000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+	0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0010:  3030 3030 3030 3030                      00000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+	0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0010:  3030 3030 3030 3030                      00000000
+IP 48.48.48.48 > 48.48.48.48: igmp pimv1 [type 48][|pim]
diff --git a/tests/hoobr_pimv1.pcap b/tests/hoobr_pimv1.pcap

Original file line number	Diff line number	Diff line change
`@@ -306,6 +306,7 @@ pimv1_print(netdissect_options *ndo,`
`306`	`306`	`pimv1_join_prune_print(ndo, &bp[8], len - 8);`
`307`	`307`	`break;`
`308`	`308`	`}`
	`309`	`+ ND_TCHECK(bp[4]);`
`309`	`310`	`if ((bp[4] >> 4) != 1)`
`310`	`311`	`ND_PRINT((ndo, " [v%d]", bp[4] >> 4));`
`311`	`312`	`return;`