Skip to content

Commit cc35651

Browse files
guyharrisinfrastation
authored andcommitted
CVE-2017-13014/White Board: Do more bounds checks.
This fixes a buffer over-read discovered by Yannick Formaggio. Add a test using the capture file supplied by the reporter(s). While we're at it, print a truncation error if the packets are truncated, rather than just, in effect, ignoring the result of the routines that print particular packet types.
1 parent 13ab8d1 commit cc35651

File tree

4 files changed

+26
-2
lines changed

4 files changed

+26
-2
lines changed

Diff for: print-wb.c

+7-2
Original file line numberDiff line numberDiff line change
@@ -263,9 +263,8 @@ wb_prep(netdissect_options *ndo,
263263
const u_char *ep = ndo->ndo_snapend;
264264

265265
ND_PRINT((ndo, " wb-prep:"));
266-
if (len < sizeof(*prep)) {
266+
if (len < sizeof(*prep) || !ND_TTEST(*prep))
267267
return (-1);
268-
}
269268
n = EXTRACT_32BITS(&prep->pp_n);
270269
ps = (const struct pgstate *)(prep + 1);
271270
while (--n >= 0 && ND_TTEST(*ps)) {
@@ -419,31 +418,37 @@ wb_print(netdissect_options *ndo,
419418
case PT_ID:
420419
if (wb_id(ndo, (const struct pkt_id *)(ph + 1), len) >= 0)
421420
return;
421+
ND_PRINT((ndo, "%s", tstr));
422422
break;
423423

424424
case PT_RREQ:
425425
if (wb_rreq(ndo, (const struct pkt_rreq *)(ph + 1), len) >= 0)
426426
return;
427+
ND_PRINT((ndo, "%s", tstr));
427428
break;
428429

429430
case PT_RREP:
430431
if (wb_rrep(ndo, (const struct pkt_rrep *)(ph + 1), len) >= 0)
431432
return;
433+
ND_PRINT((ndo, "%s", tstr));
432434
break;
433435

434436
case PT_DRAWOP:
435437
if (wb_drawop(ndo, (const struct pkt_dop *)(ph + 1), len) >= 0)
436438
return;
439+
ND_PRINT((ndo, "%s", tstr));
437440
break;
438441

439442
case PT_PREQ:
440443
if (wb_preq(ndo, (const struct pkt_preq *)(ph + 1), len) >= 0)
441444
return;
445+
ND_PRINT((ndo, "%s", tstr));
442446
break;
443447

444448
case PT_PREP:
445449
if (wb_prep(ndo, (const struct pkt_prep *)(ph + 1), len) >= 0)
446450
return;
451+
ND_PRINT((ndo, "%s", tstr));
447452
break;
448453

449454
default:

Diff for: tests/TESTLIST

+1
Original file line numberDiff line numberDiff line change
@@ -506,6 +506,7 @@ juniper_es juniper_es.pcap juniper_es.out -vvv -e
506506
# bad packets from Yannick Formaggio
507507
l2tp-avp-overflow l2tp-avp-overflow.pcap l2tp-avp-overflow.out -v
508508
pktap-heap-overflow pktap-heap-overflow.pcap pktap-heap-overflow.out -v
509+
wb-oobr wb-oobr.pcap wb-oobr.out -v
509510

510511
# bad packets from Bhargava Shastry
511512
lldp_asan lldp_asan.pcap lldp_asan.out -v

Diff for: tests/wb-oobr.out

+18
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
MPLS (label 197376, exp 7, [S], ttl 48)
2+
IP (tos 0x30, ttl 48, id 12336, offset 0, flags [none], proto UDP (17), length 12336, bad cksum 3030 (->7754)!)
3+
48.4.4.4.4400 > 127.0.0.1.3503:
4+
packet exceeded snapshot
5+
IP (tos 0x30, ttl 48, id 12336, offset 0, flags [none], proto UDP (17), length 12336, bad cksum 3030 (->699d)!)
6+
48.48.48.48.3503 > 48.48.48.48.4567: * wb-prep:[|wb]
7+
MPLS (label 197376, exp 7, [S], ttl 48)
8+
IP (tos 0x30, ttl 48, id 12336, offset 0, flags [none], proto UDP (17), length 12336, bad cksum 3030 (->699d)!)
9+
48.48.48.48.4400 > 48.48.48.48.3503:
10+
packet exceeded snapshot
11+
IP (tos 0x30, ttl 48, id 12336, offset 0, flags [none], proto UDP (17), length 12336, bad cksum 3030 (->c624)!)
12+
48.48.0.1.3503 > 48.4.4.4.4567: * wb-prep:[|wb]
13+
MPLS (label 197376, exp 7, [S], ttl 48)
14+
IP (tos 0x30, ttl 48, id 12336, offset 0, flags [none], proto UDP (17), length 12336, bad cksum 3030 (->7754)!)
15+
48.4.4.4.4400 > 127.0.0.1.3503:
16+
packet exceeded snapshot
17+
IP (tos 0x30, ttl 48, id 12336, offset 0, flags [none], proto UDP (17), length 12336, bad cksum 3030 (->c624)!)
18+
48.48.0.1.3503 > 48.4.4.4.4567: * wb-prep:[|wb]

Diff for: tests/wb-oobr.pcap

396 Bytes
Binary file not shown.

0 commit comments

Comments
 (0)