Skip to content
Permalink
Browse files

CVE-2017-13002/AODV: Add some missing bounds checks.

In aodv_extension() do a bounds check on the extension header before we
look at it.

This fixes a buffer over-read discovered by Kamil Frankowicz.

Add a test using the capture file supplied by the reporter(s).

While we're at it, add the RFC number, and check the validity of the
length for the Hello extension.
  • Loading branch information...
guyharris authored and infrastation committed Feb 19, 2017
1 parent 7a92344 commit cbddb98484ea8ec1deece351abd56e063d775b38
Showing with 11 additions and 1 deletion.
  1. +8 −1 print-aodv.c
  2. +1 −0 tests/TESTLIST
  3. +2 −0 tests/hoobr_aodv_extension.out
  4. BIN tests/hoobr_aodv_extension.pcap
@@ -42,7 +42,9 @@
#include "addrtoname.h"
#include "extract.h"


/*
* RFC 3561
*/
struct aodv_rreq {
uint8_t rreq_type; /* AODV message type (1) */
uint8_t rreq_flags; /* various flags */
@@ -178,12 +180,17 @@ aodv_extension(netdissect_options *ndo,
{
const struct aodv_hello *ah;

ND_TCHECK(*ep);
switch (ep->type) {
case AODV_EXT_HELLO:
ah = (const struct aodv_hello *)(const void *)ep;
ND_TCHECK(*ah);
if (length < sizeof(struct aodv_hello))
goto trunc;
if (ep->length < 4) {
ND_PRINT((ndo, "\n\text HELLO - bad length %u", ep->length));
break;
}
ND_PRINT((ndo, "\n\text HELLO %ld ms",
(unsigned long)EXTRACT_32BITS(&ah->interval)));
break;
@@ -459,6 +459,7 @@ hoobr_chdlc_print hoobr_chdlc_print.pcap hoobr_chdlc_print.out
hoobr_lookup_nsap hoobr_lookup_nsap.pcap hoobr_lookup_nsap.out
hoobr_rt6_print hoobr_rt6_print.pcap hoobr_rt6_print.out
hoobr_nfs_printfh hoobr_nfs_printfh.pcap hoobr_nfs_printfh.out
hoobr_aodv_extension hoobr_aodv_extension.pcap hoobr_aodv_extension.out

# bad packets from Wilfried Kirsch
slip-bad-direction slip-bad-direction.pcap slip-bad-direction.out -ve
@@ -0,0 +1,2 @@
IP 48.48.48.48.654 > 48.48.48.48.12336: aodv rrep 12308 prefix 16 hops 48
dst 48.48.48.48 dseq 808464432 src 48.48.48.48 808464432 ms [|hello]
Binary file not shown.

0 comments on commit cbddb98

Please sign in to comment.
You can’t perform that action at this time.