Skip to content

Commit c177cb3

Browse files
guyharrisinfrastation
authored andcommitted
CVE-2017-13016/ES-IS: Fix printing of addresses in RD PDUs.
Always print the SNPA, and flag it as such; only print it as a MAC address if it's 6 bytes long. Identify the NET as such. This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add tests using the capture files supplied by the reporter(s), modified so the capture files won't be rejected as an invalid capture.
1 parent 9851220 commit c177cb3

13 files changed

+72
-4
lines changed

Diff for: addrtoname.h

+2-1
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,8 @@ enum {
3333
LINKADDR_ETHER,
3434
LINKADDR_FRELAY,
3535
LINKADDR_IEEE1394,
36-
LINKADDR_ATM
36+
LINKADDR_ATM,
37+
LINKADDR_OTHER
3738
};
3839

3940
#define BUFSIZE 128

Diff for: print-isoclns.c

+11-3
Original file line numberDiff line numberDiff line change
@@ -1217,10 +1217,18 @@ esis_print(netdissect_options *ndo,
12171217
pptr += netal;
12181218
li -= netal;
12191219

1220-
if (netal == 0)
1221-
ND_PRINT((ndo, "\n\t %s", etheraddr_string(ndo, snpa)));
1220+
if (snpal == 6)
1221+
ND_PRINT((ndo, "\n\t SNPA (length: %u): %s",
1222+
snpal,
1223+
etheraddr_string(ndo, snpa)));
12221224
else
1223-
ND_PRINT((ndo, "\n\t %s", isonsap_string(ndo, neta, netal)));
1225+
ND_PRINT((ndo, "\n\t SNPA (length: %u): %s",
1226+
snpal,
1227+
linkaddr_string(ndo, snpa, LINKADDR_OTHER, snpal)));
1228+
if (netal != 0)
1229+
ND_PRINT((ndo, "\n\t NET (length: %u) %s",
1230+
netal,
1231+
isonsap_string(ndo, neta, netal)));
12241232
break;
12251233
}
12261234

Diff for: tests/TESTLIST

+5
Original file line numberDiff line numberDiff line change
@@ -513,6 +513,11 @@ lldp_asan lldp_asan.pcap lldp_asan.out -v
513513
extract_read2_asan extract_read2_asan.pcap extract_read2_asan.out -v
514514
getname_2_read4_asan getname_2_read4_asan.pcap getname_2_read4_asan.out -v
515515
eap_extract_read2_asan eap_extract_read2_asan.pcap eap_extract_read2_asan.out -v
516+
esis_snpa_asan esis_snpa_asan.pcap esis_snpa_asan.out -v
517+
esis_snpa_asan-2 esis_snpa_asan-2.pcap esis_snpa_asan-2.out -v
518+
esis_snpa_asan-3 esis_snpa_asan-3.pcap esis_snpa_asan-3.out -v
519+
esis_snpa_asan-4 esis_snpa_asan-4.pcap esis_snpa_asan-4.out -v
520+
esis_snpa_asan-5 esis_snpa_asan-5.pcap esis_snpa_asan-5.out -v
516521

517522
# RTP tests
518523
# fuzzed pcap

Diff for: tests/esis_snpa_asan-2.out

+4
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
UI 22! ES-IS, length 65565
2+
redirect (6), v: 1, checksum: 0x70a1 (incorrect should be 0xf519), holding time: 22339s, length indicator: 17
3+
00.22
4+
SNPA (length: 0): <empty>, opt (0) too long

Diff for: tests/esis_snpa_asan-2.pcap

62 Bytes
Binary file not shown.

Diff for: tests/esis_snpa_asan-3.out

+7
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
UI 22! ES-IS, length 65565
2+
unknown type: 0 (0), v: 1, checksum: 0x00a1 (incorrect should be 0x859d), holding time: 0s, length indicator: 17
3+
0x0000: 0200 04ec ff00 0000
4+
UI 22! ES-IS, length 2650865693
5+
redirect (6), v: 1, checksum: 0x0300 (incorrect should be 0xbce5), holding time: 21480s, length indicator: 17
6+
ec.ff00.00
7+
SNPA (length: 0): <empty>

Diff for: tests/esis_snpa_asan-3.pcap

100 Bytes
Binary file not shown.

Diff for: tests/esis_snpa_asan-4.out

+21
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
UI 22! ES-IS, length 65565
2+
ESH (2), v: 1, checksum: 0x70a1 (incorrect should be 0xfb4e), holding time: 21315s, length indicator: 17
3+
Number of Source Addresses: 2
4+
NET (length: 0): isonsap_string: illegal length
5+
NET (length: 4): ec.ff00.00, bad opts/li
6+
UI 22! ES-IS, length 65565
7+
redirect (6), v: 1, checksum: 0x7034 (incorrect should be 0x44ec), holding time: 21315s, length indicator: 16
8+
02.0400
9+
SNPA (length: 0): <empty>
10+
Unknown Option #0, length 0, value:
11+
UI 32! ES-IS, length 65565
12+
ESH (2), v: 1, checksum: 0x70a1 (incorrect should be 0xfb4e), holding time: 21315s, length indicator: 17
13+
Number of Source Addresses: 2
14+
NET (length: 0): isonsap_string: illegal length
15+
NET (length: 4): ec.ff00.00, bad opts/li
16+
UI 22! ES-IS, length 4244701213
17+
redirect (6), v: 1, checksum: 0x7034 (incorrect should be 0x36fe), holding time: 21315s, length indicator: 17
18+
isonsap_string: illegal length
19+
SNPA (length: 0): <empty>
20+
NET (length: 4) 00.0000.00
21+
Q.922, invalid address

Diff for: tests/esis_snpa_asan-4.pcap

214 Bytes
Binary file not shown.

Diff for: tests/esis_snpa_asan-5.out

+10
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
UI 22! ES-IS, length 65565
2+
ESH (2), v: 1, checksum: 0x70a1 (incorrect should be 0xfc4c), holding time: 21315s, length indicator: 17
3+
Number of Source Addresses: 3
4+
NET (length: 0): isonsap_string: illegal length
5+
NET (length: 4): ec.ff00.00
6+
NET (length: 0): isonsap_string: illegal length
7+
UI 22! ES-IS, length 65565
8+
redirect (6), v: 1, checksum: 0x7034 (incorrect should be 0x3ff0), holding time: 21315s, length indicator: 17
9+
04
10+
SNPA (length: 4): 00:00:00:00, bad opts/li

Diff for: tests/esis_snpa_asan-5.pcap

100 Bytes
Binary file not shown.

Diff for: tests/esis_snpa_asan.out

+12
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
UI 22! ES-IS, length 65565
2+
ESH (2), v: 1, checksum: 0x70a1 (incorrect should be 0xfb4e), holding time: 21315s, length indicator: 17
3+
Number of Source Addresses: 2
4+
NET (length: 0): isonsap_string: illegal length
5+
NET (length: 4): ec.ff00.00, bad opts/li
6+
UI 22! ES-IS, length 65565
7+
redirect (6), v: 1, checksum: 0xffff (incorrect should be 0x6b16), holding time: 21253s, length indicator: 17
8+
00.04ec.0000
9+
SNPA (length: 0): <empty>, bad opts/li
10+
Q.922, hdr-len 2, DLCI 0, Flags [FECN], NLPID unknown (0x22), length 72482:
11+
0x0000: 0082 1000 5542 5343 70a1 0200 0400 0000 ....UBSCp.......
12+
0x0010: 007e .~

Diff for: tests/esis_snpa_asan.pcap

138 Bytes
Binary file not shown.

0 commit comments

Comments
 (0)