Skip to content

Commit c6e0531

Browse files
guyharrisinfrastation
authored andcommitted
CVE-2017-12899/DECnet: Fix bounds checking.
If we're skipping over padding before the *real* flags, check whether the real flags are in the captured data before fetching it. This fixes a buffer over-read discovered by Kamil Frankowicz. Note one place where we don't need to do bounds checking as it's already been done. Add a test using the capture file supplied by the reporter(s).
1 parent 19d25dd commit c6e0531

File tree

4 files changed

+7
-0
lines changed

4 files changed

+7
-0
lines changed

Diff for: print-decnet.c

+2
Original file line numberDiff line numberDiff line change
@@ -542,6 +542,7 @@ decnet_print(netdissect_options *ndo,
542542
length -= padlen;
543543
caplen -= padlen;
544544
rhp = (const union routehdr *)&(ap[sizeof(short)]);
545+
ND_TCHECK(rhp->rh_short.sh_flags);
545546
mflags = EXTRACT_LE_8BITS(rhp->rh_short.sh_flags);
546547
}
547548

@@ -613,6 +614,7 @@ print_decnet_ctlmsg(netdissect_options *ndo,
613614
register const union routehdr *rhp, u_int length,
614615
u_int caplen)
615616
{
617+
/* Our caller has already checked for mflags */
616618
int mflags = EXTRACT_LE_8BITS(rhp->rh_short.sh_flags);
617619
register const union controlmsg *cmp = (const union controlmsg *)rhp;
618620
int src, dst, info, blksize, eco, ueco, hello, other, vers;

Diff for: tests/TESTLIST

+1
Original file line numberDiff line numberDiff line change
@@ -444,6 +444,7 @@ hoobr_safeputs hoobr_safeputs.pcap hoobr_safeputs.out
444444
isakmp-rfc3948-oobr isakmp-rfc3948-oobr.pcap isakmp-rfc3948-oobr.out
445445
isoclns-oobr isoclns-oobr.pcap isoclns-oobr.out
446446
nfs-attr-oobr nfs-attr-oobr.pcap nfs-attr-oobr.out
447+
decnet-oobr decnet-oobr.pcap decnet-oobr.out
447448

448449
# bad packets from Wilfried Kirsch
449450
slip-bad-direction slip-bad-direction.pcap slip-bad-direction.out -ve

Diff for: tests/decnet-oobr.out

+4
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
2+
0x0000: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
3+
0x0010: 3030 3030 0000
4+
MEDSA 16.6:48: [|decnet]

Diff for: tests/decnet-oobr.pcap

214 Bytes
Binary file not shown.

0 commit comments

Comments
 (0)