Skip to content
Permalink
Browse files

CVE-2017-13016/ES-IS: Fix printing of addresses in RD PDUs.

Always print the SNPA, and flag it as such; only print it as a MAC
address if it's 6 bytes long.

Identify the NET as such.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add tests using the capture files supplied by the reporter(s), modified
so the capture files won't be rejected as an invalid capture.
  • Loading branch information...
guyharris authored and infrastation committed Mar 22, 2017
1 parent 9851220 commit c177cb3800a9a68d79b2812f0ffcb9479abd6eb8
@@ -33,7 +33,8 @@ enum {
LINKADDR_ETHER,
LINKADDR_FRELAY,
LINKADDR_IEEE1394,
LINKADDR_ATM
LINKADDR_ATM,
LINKADDR_OTHER
};

#define BUFSIZE 128
@@ -1217,10 +1217,18 @@ esis_print(netdissect_options *ndo,
pptr += netal;
li -= netal;

if (netal == 0)
ND_PRINT((ndo, "\n\t %s", etheraddr_string(ndo, snpa)));
if (snpal == 6)
ND_PRINT((ndo, "\n\t SNPA (length: %u): %s",
snpal,
etheraddr_string(ndo, snpa)));
else
ND_PRINT((ndo, "\n\t %s", isonsap_string(ndo, neta, netal)));
ND_PRINT((ndo, "\n\t SNPA (length: %u): %s",
snpal,
linkaddr_string(ndo, snpa, LINKADDR_OTHER, snpal)));
if (netal != 0)
ND_PRINT((ndo, "\n\t NET (length: %u) %s",
netal,
isonsap_string(ndo, neta, netal)));
break;
}

@@ -513,6 +513,11 @@ lldp_asan lldp_asan.pcap lldp_asan.out -v
extract_read2_asan extract_read2_asan.pcap extract_read2_asan.out -v
getname_2_read4_asan getname_2_read4_asan.pcap getname_2_read4_asan.out -v
eap_extract_read2_asan eap_extract_read2_asan.pcap eap_extract_read2_asan.out -v
esis_snpa_asan esis_snpa_asan.pcap esis_snpa_asan.out -v
esis_snpa_asan-2 esis_snpa_asan-2.pcap esis_snpa_asan-2.out -v
esis_snpa_asan-3 esis_snpa_asan-3.pcap esis_snpa_asan-3.out -v
esis_snpa_asan-4 esis_snpa_asan-4.pcap esis_snpa_asan-4.out -v
esis_snpa_asan-5 esis_snpa_asan-5.pcap esis_snpa_asan-5.out -v

# RTP tests
# fuzzed pcap
@@ -0,0 +1,4 @@
UI 22! ES-IS, length 65565
redirect (6), v: 1, checksum: 0x70a1 (incorrect should be 0xf519), holding time: 22339s, length indicator: 17
00.22
SNPA (length: 0): <empty>, opt (0) too long
Binary file not shown.
@@ -0,0 +1,7 @@
UI 22! ES-IS, length 65565
unknown type: 0 (0), v: 1, checksum: 0x00a1 (incorrect should be 0x859d), holding time: 0s, length indicator: 17
0x0000: 0200 04ec ff00 0000
UI 22! ES-IS, length 2650865693
redirect (6), v: 1, checksum: 0x0300 (incorrect should be 0xbce5), holding time: 21480s, length indicator: 17
ec.ff00.00
SNPA (length: 0): <empty>
Binary file not shown.
@@ -0,0 +1,21 @@
UI 22! ES-IS, length 65565
ESH (2), v: 1, checksum: 0x70a1 (incorrect should be 0xfb4e), holding time: 21315s, length indicator: 17
Number of Source Addresses: 2
NET (length: 0): isonsap_string: illegal length
NET (length: 4): ec.ff00.00, bad opts/li
UI 22! ES-IS, length 65565
redirect (6), v: 1, checksum: 0x7034 (incorrect should be 0x44ec), holding time: 21315s, length indicator: 16
02.0400
SNPA (length: 0): <empty>
Unknown Option #0, length 0, value:
UI 32! ES-IS, length 65565
ESH (2), v: 1, checksum: 0x70a1 (incorrect should be 0xfb4e), holding time: 21315s, length indicator: 17
Number of Source Addresses: 2
NET (length: 0): isonsap_string: illegal length
NET (length: 4): ec.ff00.00, bad opts/li
UI 22! ES-IS, length 4244701213
redirect (6), v: 1, checksum: 0x7034 (incorrect should be 0x36fe), holding time: 21315s, length indicator: 17
isonsap_string: illegal length
SNPA (length: 0): <empty>
NET (length: 4) 00.0000.00
Q.922, invalid address
Binary file not shown.
@@ -0,0 +1,10 @@
UI 22! ES-IS, length 65565
ESH (2), v: 1, checksum: 0x70a1 (incorrect should be 0xfc4c), holding time: 21315s, length indicator: 17
Number of Source Addresses: 3
NET (length: 0): isonsap_string: illegal length
NET (length: 4): ec.ff00.00
NET (length: 0): isonsap_string: illegal length
UI 22! ES-IS, length 65565
redirect (6), v: 1, checksum: 0x7034 (incorrect should be 0x3ff0), holding time: 21315s, length indicator: 17
04
SNPA (length: 4): 00:00:00:00, bad opts/li
Binary file not shown.
@@ -0,0 +1,12 @@
UI 22! ES-IS, length 65565
ESH (2), v: 1, checksum: 0x70a1 (incorrect should be 0xfb4e), holding time: 21315s, length indicator: 17
Number of Source Addresses: 2
NET (length: 0): isonsap_string: illegal length
NET (length: 4): ec.ff00.00, bad opts/li
UI 22! ES-IS, length 65565
redirect (6), v: 1, checksum: 0xffff (incorrect should be 0x6b16), holding time: 21253s, length indicator: 17
00.04ec.0000
SNPA (length: 0): <empty>, bad opts/li
Q.922, hdr-len 2, DLCI 0, Flags [FECN], NLPID unknown (0x22), length 72482:
0x0000: 0082 1000 5542 5343 70a1 0200 0400 0000 ....UBSCp.......
0x0010: 007e .~
BIN +138 Bytes tests/esis_snpa_asan.pcap
Binary file not shown.

0 comments on commit c177cb3

Please sign in to comment.
You can’t perform that action at this time.