Skip to content

Commit c24922e

Browse files
infrastationfxlb
authored andcommitted
(for 4.9.3) CVE-2018-14466/Rx: fix an over-read bug
In rx_cache_insert() and rx_cache_find() properly read the serviceId field of the rx_header structure as a 16-bit integer. When those functions tried to read 32 bits the extra 16 bits could be outside of the bounds checked in rx_print() for the rx_header structure, as serviceId is the last field in that structure. This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s).
1 parent e5ae1fd commit c24922e

File tree

4 files changed

+6
-2
lines changed

4 files changed

+6
-2
lines changed

Diff for: print-rx.c

+2-2
Original file line numberDiff line numberDiff line change
@@ -694,7 +694,7 @@ rx_cache_insert(netdissect_options *ndo,
694694
UNALIGNED_MEMCPY(&rxent->client, &ip->ip_src, sizeof(uint32_t));
695695
UNALIGNED_MEMCPY(&rxent->server, &ip->ip_dst, sizeof(uint32_t));
696696
rxent->dport = dport;
697-
rxent->serviceId = EXTRACT_32BITS(&rxh->serviceId);
697+
rxent->serviceId = EXTRACT_16BITS(&rxh->serviceId);
698698
rxent->opcode = EXTRACT_32BITS(bp + sizeof(struct rx_header));
699699
}
700700

@@ -725,7 +725,7 @@ rx_cache_find(const struct rx_header *rxh, const struct ip *ip, int sport,
725725
if (rxent->callnum == EXTRACT_32BITS(&rxh->callNumber) &&
726726
rxent->client.s_addr == clip &&
727727
rxent->server.s_addr == sip &&
728-
rxent->serviceId == EXTRACT_32BITS(&rxh->serviceId) &&
728+
rxent->serviceId == EXTRACT_16BITS(&rxh->serviceId) &&
729729
rxent->dport == sport) {
730730

731731
/* We got a match! */

Diff for: tests/TESTLIST

+1
Original file line numberDiff line numberDiff line change
@@ -573,6 +573,7 @@ ikev1_id_ipv6_addr_subnet-oobr ikev1_id_ipv6_addr_subnet-oobr.pcap ikev1_id_ipv6
573573
isakmp-various-oobr isakmp-various-oobr.pcap isakmp-various-oobr.out -v
574574
aoe-oobr-1 aoe-oobr-1.pcap aoe-oobr-1.out -v -c1
575575
frf16_magic_ie-oobr frf16_magic_ie-oobr.pcap frf16_magic_ie-oobr.out -v -c1
576+
rx_serviceid_oobr rx_serviceid_oobr.pcap rx_serviceid_oobr.out -c3
576577

577578
# bad packets from Katie Holly
578579
mlppp-oobr mlppp-oobr.pcap mlppp-oobr.out

Diff for: tests/rx_serviceid_oobr.out

+3
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
IP 250.15.128.19.68 > 249.251.157.8.63246: BOOTP/DHCP, unknown (0x00), length 8085
2+
[|ether]
3+
IP 0.0.0.0.0 > 0.0.0.0.7004: rx abort (539)

Diff for: tests/rx_serviceid_oobr.pcap

2.69 KB
Binary file not shown.

0 commit comments

Comments
 (0)