Skip to content

Commit ca33619

Browse files
guyharrisinfrastation
authored andcommitted
CVE-2017-13007/PKTAP: Pass a properly updated struct pcap_pkthdr to the sub-dissector.
The sub-dissector expects that the length and captured length will reflect the actual remaining data in the packet, not the raw amount including the PKTAP header; pass an updated header, just as we do for PPI. This fixes a buffer over-read discovered by Yannick Formaggio. Add a test using the capture file supplied by the reporter(s).
1 parent cc4a739 commit ca33619

File tree

4 files changed

+9
-1
lines changed

4 files changed

+9
-1
lines changed

Diff for: print-pktap.c

+5-1
Original file line numberDiff line numberDiff line change
@@ -104,6 +104,7 @@ pktap_if_print(netdissect_options *ndo,
104104
u_int length = h->len;
105105
if_printer printer;
106106
const pktap_header_t *hdr;
107+
struct pcap_pkthdr nhdr;
107108

108109
if (caplen < sizeof(pktap_header_t) || length < sizeof(pktap_header_t)) {
109110
ND_PRINT((ndo, "[|pktap]"));
@@ -144,7 +145,10 @@ pktap_if_print(netdissect_options *ndo,
144145

145146
case PKT_REC_PACKET:
146147
if ((printer = lookup_printer(dlt)) != NULL) {
147-
hdrlen += printer(ndo, h, p);
148+
nhdr = *h;
149+
nhdr.caplen = caplen;
150+
nhdr.len = length;
151+
hdrlen += printer(ndo, &nhdr, p);
148152
} else {
149153
if (!ndo->ndo_eflag)
150154
pktap_header_print(ndo, (const u_char *)hdr,

Diff for: tests/TESTLIST

+1
Original file line numberDiff line numberDiff line change
@@ -502,6 +502,7 @@ juniper_es juniper_es.pcap juniper_es.out -vvv -e
502502

503503
# bad packets from Yannick Formaggio
504504
l2tp-avp-overflow l2tp-avp-overflow.pcap l2tp-avp-overflow.out -v
505+
pktap-heap-overflow pktap-heap-overflow.pcap pktap-heap-overflow.out -v
505506

506507
# RTP tests
507508
# fuzzed pcap

Diff for: tests/pktap-heap-overflow.out

+3
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
[|pktap]
2+
[|ppp]
3+
EXIT CODE 00000100

Diff for: tests/pktap-heap-overflow.pcap

3.14 KB
Binary file not shown.

0 commit comments

Comments
 (0)