CVE-2017-13044/HNCP: add DHCPv4-Data bounds checks

dhcpv4_print() in print-hncp.c had the same bug as dhcpv6_print(), apply a fix along the same lines. This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s).
the-tcpdump-group · Sep 13, 2017 · c2f6833 · c2f6833
1 parent 39582c0
commit c2f6833
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 0 deletions.
diff --git a/print-hncp.c b/print-hncp.c
@@ -270,6 +270,8 @@ dhcpv4_print(netdissect_options *ndo,
 
     i = 0;
     while (i < length) {
+        if (i + 2 > length)
+            return -1;
         tlv = cp + i;
         type = (uint8_t)tlv[0];
         optlen = (uint8_t)tlv[1];
@@ -281,6 +283,8 @@ dhcpv4_print(netdissect_options *ndo,
 
         ND_PRINT((ndo, "%s", tok2str(dh4opt_str, "Unknown", type)));
         ND_PRINT((ndo," (%u)", optlen + 2 ));
+        if (i + 2 + optlen > length)
+            return -1;
 
         switch (type) {
         case DH4OPT_DNS_SERVERS:

diff --git a/tests/TESTLIST b/tests/TESTLIST
@@ -560,6 +560,8 @@ isakmpv1-attr-oobr	isakmpv1-attr-oobr.pcap		isakmpv1-attr-oobr.out	-v
 # code path and will not test the vulnerability unless modified respectively.
 # The .pcap file is truncated after the 1st packet.
 hncp_dhcpv6data-oobr	hncp_dhcpv6data-oobr.pcap	hncp_dhcpv6data-oobr.out -v -c1
+# Same comments apply to the case below.
+hncp_dhcpv4data-oobr	hncp_dhcpv4data-oobr.pcap	hncp_dhcpv4data-oobr.out -v -c1
 
 # bad packets from Katie Holly
 mlppp-oobr		mlppp-oobr.pcap			mlppp-oobr.out

diff --git a/tests/hncp_dhcpv4data-oobr.out b/tests/hncp_dhcpv4data-oobr.out
@@ -0,0 +1,4 @@
+IP truncated-ip - 260 bytes missing! (tos 0x12,ECT(0), ttl 48, id 21323, offset 0, flags [+, DF, rsvd], proto UDP (17), length 296, bad cksum 8e0f (->cd08)!)
+    1.2.7.0.1812 > 128.253.0.96.8231: hncp (268)
+	DHCPv4-Data (6)
+		DNS-server (98) (invalid)
diff --git a/tests/hncp_dhcpv4data-oobr.pcap b/tests/hncp_dhcpv4data-oobr.pcap