Skip to content

Commit c2f6833

Browse files
committed
CVE-2017-13044/HNCP: add DHCPv4-Data bounds checks
dhcpv4_print() in print-hncp.c had the same bug as dhcpv6_print(), apply a fix along the same lines. This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s).
1 parent 39582c0 commit c2f6833

File tree

4 files changed

+10
-0
lines changed

4 files changed

+10
-0
lines changed

Diff for: print-hncp.c

+4
Original file line numberDiff line numberDiff line change
@@ -270,6 +270,8 @@ dhcpv4_print(netdissect_options *ndo,
270270

271271
i = 0;
272272
while (i < length) {
273+
if (i + 2 > length)
274+
return -1;
273275
tlv = cp + i;
274276
type = (uint8_t)tlv[0];
275277
optlen = (uint8_t)tlv[1];
@@ -281,6 +283,8 @@ dhcpv4_print(netdissect_options *ndo,
281283

282284
ND_PRINT((ndo, "%s", tok2str(dh4opt_str, "Unknown", type)));
283285
ND_PRINT((ndo," (%u)", optlen + 2 ));
286+
if (i + 2 + optlen > length)
287+
return -1;
284288

285289
switch (type) {
286290
case DH4OPT_DNS_SERVERS:

Diff for: tests/TESTLIST

+2
Original file line numberDiff line numberDiff line change
@@ -560,6 +560,8 @@ isakmpv1-attr-oobr isakmpv1-attr-oobr.pcap isakmpv1-attr-oobr.out -v
560560
# code path and will not test the vulnerability unless modified respectively.
561561
# The .pcap file is truncated after the 1st packet.
562562
hncp_dhcpv6data-oobr hncp_dhcpv6data-oobr.pcap hncp_dhcpv6data-oobr.out -v -c1
563+
# Same comments apply to the case below.
564+
hncp_dhcpv4data-oobr hncp_dhcpv4data-oobr.pcap hncp_dhcpv4data-oobr.out -v -c1
563565

564566
# bad packets from Katie Holly
565567
mlppp-oobr mlppp-oobr.pcap mlppp-oobr.out

Diff for: tests/hncp_dhcpv4data-oobr.out

+4
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
IP truncated-ip - 260 bytes missing! (tos 0x12,ECT(0), ttl 48, id 21323, offset 0, flags [+, DF, rsvd], proto UDP (17), length 296, bad cksum 8e0f (->cd08)!)
2+
1.2.7.0.1812 > 128.253.0.96.8231: hncp (268)
3+
DHCPv4-Data (6)
4+
DNS-server (98) (invalid)

Diff for: tests/hncp_dhcpv4data-oobr.pcap

170 Bytes
Binary file not shown.

0 commit comments

Comments
 (0)