Permalink
Browse files

CVE-2017-13044/HNCP: add DHCPv4-Data bounds checks

dhcpv4_print() in print-hncp.c had the same bug as dhcpv6_print(), apply
a fix along the same lines.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s).
  • Loading branch information...
infrastation committed Jul 29, 2017
1 parent 39582c0 commit c2f6833dddecf2d5fb89c9c898eee9981da342ed
Showing with 10 additions and 0 deletions.
  1. +4 −0 print-hncp.c
  2. +2 −0 tests/TESTLIST
  3. +4 −0 tests/hncp_dhcpv4data-oobr.out
  4. BIN tests/hncp_dhcpv4data-oobr.pcap
@@ -270,6 +270,8 @@ dhcpv4_print(netdissect_options *ndo,
i = 0;
while (i < length) {
if (i + 2 > length)
return -1;
tlv = cp + i;
type = (uint8_t)tlv[0];
optlen = (uint8_t)tlv[1];
@@ -281,6 +283,8 @@ dhcpv4_print(netdissect_options *ndo,
ND_PRINT((ndo, "%s", tok2str(dh4opt_str, "Unknown", type)));
ND_PRINT((ndo," (%u)", optlen + 2 ));
if (i + 2 + optlen > length)
return -1;
switch (type) {
case DH4OPT_DNS_SERVERS:
@@ -560,6 +560,8 @@ isakmpv1-attr-oobr isakmpv1-attr-oobr.pcap isakmpv1-attr-oobr.out -v
# code path and will not test the vulnerability unless modified respectively.
# The .pcap file is truncated after the 1st packet.
hncp_dhcpv6data-oobr hncp_dhcpv6data-oobr.pcap hncp_dhcpv6data-oobr.out -v -c1
# Same comments apply to the case below.
hncp_dhcpv4data-oobr hncp_dhcpv4data-oobr.pcap hncp_dhcpv4data-oobr.out -v -c1
# bad packets from Katie Holly
mlppp-oobr mlppp-oobr.pcap mlppp-oobr.out
@@ -0,0 +1,4 @@
IP truncated-ip - 260 bytes missing! (tos 0x12,ECT(0), ttl 48, id 21323, offset 0, flags [+, DF, rsvd], proto UDP (17), length 296, bad cksum 8e0f (->cd08)!)
1.2.7.0.1812 > 128.253.0.96.8231: hncp (268)
DHCPv4-Data (6)
DNS-server (98) (invalid)
Binary file not shown.

0 comments on commit c2f6833

Please sign in to comment.