Skip to content
Permalink
Browse files Browse the repository at this point in the history
CVE-2017-13007/PKTAP: Pass a properly updated struct pcap_pkthdr to t…
…he sub-dissector.

The sub-dissector expects that the length and captured length will
reflect the actual remaining data in the packet, not the raw amount
including the PKTAP header; pass an updated header, just as we do for
PPI.

This fixes a buffer over-read discovered by Yannick Formaggio.

Add a test using the capture file supplied by the reporter(s).
  • Loading branch information
guyharris authored and infrastation committed Sep 13, 2017
1 parent cc4a739 commit ca33619
Show file tree
Hide file tree
Showing 4 changed files with 9 additions and 1 deletion.
6 changes: 5 additions & 1 deletion print-pktap.c
Expand Up @@ -104,6 +104,7 @@ pktap_if_print(netdissect_options *ndo,
u_int length = h->len;
if_printer printer;
const pktap_header_t *hdr;
struct pcap_pkthdr nhdr;

if (caplen < sizeof(pktap_header_t) || length < sizeof(pktap_header_t)) {
ND_PRINT((ndo, "[|pktap]"));
Expand Down Expand Up @@ -144,7 +145,10 @@ pktap_if_print(netdissect_options *ndo,

case PKT_REC_PACKET:
if ((printer = lookup_printer(dlt)) != NULL) {
hdrlen += printer(ndo, h, p);
nhdr = *h;
nhdr.caplen = caplen;
nhdr.len = length;
hdrlen += printer(ndo, &nhdr, p);
} else {
if (!ndo->ndo_eflag)
pktap_header_print(ndo, (const u_char *)hdr,
Expand Down
1 change: 1 addition & 0 deletions tests/TESTLIST
Expand Up @@ -502,6 +502,7 @@ juniper_es juniper_es.pcap juniper_es.out -vvv -e

# bad packets from Yannick Formaggio
l2tp-avp-overflow l2tp-avp-overflow.pcap l2tp-avp-overflow.out -v
pktap-heap-overflow pktap-heap-overflow.pcap pktap-heap-overflow.out -v

# RTP tests
# fuzzed pcap
Expand Down
3 changes: 3 additions & 0 deletions tests/pktap-heap-overflow.out
@@ -0,0 +1,3 @@
[|pktap]
[|ppp]
EXIT CODE 00000100
Binary file added tests/pktap-heap-overflow.pcap
Binary file not shown.

0 comments on commit ca33619

Please sign in to comment.