Skip to content

Commit c5dd7be

Browse files
guyharrisinfrastation
authored andcommitted
CVE-2017-13020/VTP: Add some missing bounds checks.
This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s), modified so the capture file won't be rejected as an invalid capture.
1 parent 4601c68 commit c5dd7be

File tree

4 files changed

+9
-0
lines changed

4 files changed

+9
-0
lines changed

Diff for: print-vtp.c

+2
Original file line numberDiff line numberDiff line change
@@ -223,6 +223,7 @@ vtp_print (netdissect_options *ndo,
223223
*
224224
*/
225225

226+
ND_TCHECK_32BITS(tptr);
226227
ND_PRINT((ndo, ", Config Rev %x", EXTRACT_32BITS(tptr)));
227228

228229
/*
@@ -243,6 +244,7 @@ vtp_print (netdissect_options *ndo,
243244
tptr += 4;
244245
while (tptr < (pptr+length)) {
245246

247+
ND_TCHECK_8BITS(tptr);
246248
len = *tptr;
247249
if (len == 0)
248250
break;

Diff for: tests/TESTLIST

+1
Original file line numberDiff line numberDiff line change
@@ -521,6 +521,7 @@ esis_snpa_asan-5 esis_snpa_asan-5.pcap esis_snpa_asan-5.out -v
521521
dhcp6_reconf_asan dhcp6_reconf_asan.pcap dhcp6_reconf_asan.out -v
522522
pgm_opts_asan pgm_opts_asan.pcap pgm_opts_asan.out -v
523523
pgm_opts_asan_2 pgm_opts_asan_2.pcap pgm_opts_asan_2.out -v
524+
vtp_asan vtp_asan.pcap vtp_asan.out -v
524525

525526
# RTP tests
526527
# fuzzed pcap

Diff for: tests/vtp_asan.out

+6
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
FRF.16 Frag, seq 193, Flags [Begin, End], UI 08! VTPv69, Message Subset advertisement (0x02), length 2126400013
2+
Domain name: , Seq number: 0[|vtp]
3+
[|mfr]
4+
[|mfr]
5+
[|mfr]
6+
[|mfr]

Diff for: tests/vtp_asan.pcap

154 Bytes
Binary file not shown.

0 commit comments

Comments
 (0)