Skip to content
Permalink
Browse files

CVE-2017-13007/PKTAP: Pass a properly updated struct pcap_pkthdr to t…

…he sub-dissector.

The sub-dissector expects that the length and captured length will
reflect the actual remaining data in the packet, not the raw amount
including the PKTAP header; pass an updated header, just as we do for
PPI.

This fixes a buffer over-read discovered by Yannick Formaggio.

Add a test using the capture file supplied by the reporter(s).
  • Loading branch information...
guyharris authored and infrastation committed Mar 6, 2017
1 parent cc4a739 commit ca336198e8bebccc18502de27672fdbd6eb34856
Showing with 9 additions and 1 deletion.
  1. +5 −1 print-pktap.c
  2. +1 −0 tests/TESTLIST
  3. +3 −0 tests/pktap-heap-overflow.out
  4. BIN tests/pktap-heap-overflow.pcap
@@ -104,6 +104,7 @@ pktap_if_print(netdissect_options *ndo,
u_int length = h->len;
if_printer printer;
const pktap_header_t *hdr;
struct pcap_pkthdr nhdr;

if (caplen < sizeof(pktap_header_t) || length < sizeof(pktap_header_t)) {
ND_PRINT((ndo, "[|pktap]"));
@@ -144,7 +145,10 @@ pktap_if_print(netdissect_options *ndo,

case PKT_REC_PACKET:
if ((printer = lookup_printer(dlt)) != NULL) {
hdrlen += printer(ndo, h, p);
nhdr = *h;
nhdr.caplen = caplen;
nhdr.len = length;
hdrlen += printer(ndo, &nhdr, p);
} else {
if (!ndo->ndo_eflag)
pktap_header_print(ndo, (const u_char *)hdr,
@@ -502,6 +502,7 @@ juniper_es juniper_es.pcap juniper_es.out -vvv -e

# bad packets from Yannick Formaggio
l2tp-avp-overflow l2tp-avp-overflow.pcap l2tp-avp-overflow.out -v
pktap-heap-overflow pktap-heap-overflow.pcap pktap-heap-overflow.out -v

# RTP tests
# fuzzed pcap
@@ -0,0 +1,3 @@
[|pktap]
[|ppp]
EXIT CODE 00000100
Binary file not shown.

0 comments on commit ca33619

Please sign in to comment.
You can’t perform that action at this time.