Skip to content
Permalink
Browse files

CVE-2017-13014/White Board: Do more bounds checks.

This fixes a buffer over-read discovered by Yannick Formaggio.

Add a test using the capture file supplied by the reporter(s).

While we're at it, print a truncation error if the packets are
truncated, rather than just, in effect, ignoring the result of the
routines that print particular packet types.
  • Loading branch information...
guyharris authored and infrastation committed Mar 16, 2017
1 parent 13ab8d1 commit cc356512f512e7fa423b3674db4bb31dbe40ffec
Showing with 26 additions and 2 deletions.
  1. +7 −2 print-wb.c
  2. +1 −0 tests/TESTLIST
  3. +18 −0 tests/wb-oobr.out
  4. BIN tests/wb-oobr.pcap
@@ -263,9 +263,8 @@ wb_prep(netdissect_options *ndo,
const u_char *ep = ndo->ndo_snapend;

ND_PRINT((ndo, " wb-prep:"));
if (len < sizeof(*prep)) {
if (len < sizeof(*prep) || !ND_TTEST(*prep))
return (-1);
}
n = EXTRACT_32BITS(&prep->pp_n);
ps = (const struct pgstate *)(prep + 1);
while (--n >= 0 && ND_TTEST(*ps)) {
@@ -419,31 +418,37 @@ wb_print(netdissect_options *ndo,
case PT_ID:
if (wb_id(ndo, (const struct pkt_id *)(ph + 1), len) >= 0)
return;
ND_PRINT((ndo, "%s", tstr));
break;

case PT_RREQ:
if (wb_rreq(ndo, (const struct pkt_rreq *)(ph + 1), len) >= 0)
return;
ND_PRINT((ndo, "%s", tstr));
break;

case PT_RREP:
if (wb_rrep(ndo, (const struct pkt_rrep *)(ph + 1), len) >= 0)
return;
ND_PRINT((ndo, "%s", tstr));
break;

case PT_DRAWOP:
if (wb_drawop(ndo, (const struct pkt_dop *)(ph + 1), len) >= 0)
return;
ND_PRINT((ndo, "%s", tstr));
break;

case PT_PREQ:
if (wb_preq(ndo, (const struct pkt_preq *)(ph + 1), len) >= 0)
return;
ND_PRINT((ndo, "%s", tstr));
break;

case PT_PREP:
if (wb_prep(ndo, (const struct pkt_prep *)(ph + 1), len) >= 0)
return;
ND_PRINT((ndo, "%s", tstr));
break;

default:
@@ -506,6 +506,7 @@ juniper_es juniper_es.pcap juniper_es.out -vvv -e
# bad packets from Yannick Formaggio
l2tp-avp-overflow l2tp-avp-overflow.pcap l2tp-avp-overflow.out -v
pktap-heap-overflow pktap-heap-overflow.pcap pktap-heap-overflow.out -v
wb-oobr wb-oobr.pcap wb-oobr.out -v

# bad packets from Bhargava Shastry
lldp_asan lldp_asan.pcap lldp_asan.out -v
@@ -0,0 +1,18 @@
MPLS (label 197376, exp 7, [S], ttl 48)
IP (tos 0x30, ttl 48, id 12336, offset 0, flags [none], proto UDP (17), length 12336, bad cksum 3030 (->7754)!)
48.4.4.4.4400 > 127.0.0.1.3503:
packet exceeded snapshot
IP (tos 0x30, ttl 48, id 12336, offset 0, flags [none], proto UDP (17), length 12336, bad cksum 3030 (->699d)!)
48.48.48.48.3503 > 48.48.48.48.4567: * wb-prep:[|wb]
MPLS (label 197376, exp 7, [S], ttl 48)
IP (tos 0x30, ttl 48, id 12336, offset 0, flags [none], proto UDP (17), length 12336, bad cksum 3030 (->699d)!)
48.48.48.48.4400 > 48.48.48.48.3503:
packet exceeded snapshot
IP (tos 0x30, ttl 48, id 12336, offset 0, flags [none], proto UDP (17), length 12336, bad cksum 3030 (->c624)!)
48.48.0.1.3503 > 48.4.4.4.4567: * wb-prep:[|wb]
MPLS (label 197376, exp 7, [S], ttl 48)
IP (tos 0x30, ttl 48, id 12336, offset 0, flags [none], proto UDP (17), length 12336, bad cksum 3030 (->7754)!)
48.4.4.4.4400 > 127.0.0.1.3503:
packet exceeded snapshot
IP (tos 0x30, ttl 48, id 12336, offset 0, flags [none], proto UDP (17), length 12336, bad cksum 3030 (->c624)!)
48.48.0.1.3503 > 48.4.4.4.4567: * wb-prep:[|wb]
BIN +396 Bytes tests/wb-oobr.pcap
Binary file not shown.

0 comments on commit cc35651

Please sign in to comment.
You can’t perform that action at this time.