Skip to content
Permalink
Browse files Browse the repository at this point in the history
CVE-2017-13020/VTP: Add some missing bounds checks.
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
  • Loading branch information
guyharris authored and infrastation committed Sep 13, 2017
1 parent 4601c68 commit c5dd7be
Show file tree
Hide file tree
Showing 4 changed files with 9 additions and 0 deletions.
2 changes: 2 additions & 0 deletions print-vtp.c
Expand Up @@ -223,6 +223,7 @@ vtp_print (netdissect_options *ndo,
*
*/

ND_TCHECK_32BITS(tptr);
ND_PRINT((ndo, ", Config Rev %x", EXTRACT_32BITS(tptr)));

/*
Expand All @@ -243,6 +244,7 @@ vtp_print (netdissect_options *ndo,
tptr += 4;
while (tptr < (pptr+length)) {

ND_TCHECK_8BITS(tptr);
len = *tptr;
if (len == 0)
break;
Expand Down
1 change: 1 addition & 0 deletions tests/TESTLIST
Expand Up @@ -521,6 +521,7 @@ esis_snpa_asan-5 esis_snpa_asan-5.pcap esis_snpa_asan-5.out -v
dhcp6_reconf_asan dhcp6_reconf_asan.pcap dhcp6_reconf_asan.out -v
pgm_opts_asan pgm_opts_asan.pcap pgm_opts_asan.out -v
pgm_opts_asan_2 pgm_opts_asan_2.pcap pgm_opts_asan_2.out -v
vtp_asan vtp_asan.pcap vtp_asan.out -v

# RTP tests
# fuzzed pcap
Expand Down
6 changes: 6 additions & 0 deletions tests/vtp_asan.out
@@ -0,0 +1,6 @@
FRF.16 Frag, seq 193, Flags [Begin, End], UI 08! VTPv69, Message Subset advertisement (0x02), length 2126400013
Domain name: , Seq number: 0[|vtp]
[|mfr]
[|mfr]
[|mfr]
[|mfr]
Binary file added tests/vtp_asan.pcap
Binary file not shown.

0 comments on commit c5dd7be

Please sign in to comment.