Skip to content
Permalink
Browse files

CVE-2017-13046/BGP: fix an existing bounds check for PMSI Tunnel

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s).
  • Loading branch information...
infrastation committed Aug 3, 2017
1 parent 3b36ec4 commit d10a0f980fe8f9407ab1ffbd612641433ebe175e
Showing with 13 additions and 1 deletion.
  1. +1 −1 print-bgp.c
  2. +1 −0 tests/TESTLIST
  3. +11 −0 tests/bgp_pmsi_tunnel-oobr.out
  4. BIN tests/bgp_pmsi_tunnel-oobr.pcap
@@ -2123,11 +2123,11 @@ bgp_attr_print(netdissect_options *ndo,
{
uint8_t tunnel_type, flags;

ND_TCHECK2(tptr[0], 5);
tunnel_type = *(tptr+1);
flags = *tptr;
tlen = len;

ND_TCHECK2(tptr[0], 5);
ND_PRINT((ndo, "\n\t Tunnel-type %s (%u), Flags [%s], MPLS Label %u",
tok2str(bgp_pmsi_tunnel_values, "Unknown", tunnel_type),
tunnel_type,
@@ -563,6 +563,7 @@ hncp_dhcpv6data-oobr hncp_dhcpv6data-oobr.pcap hncp_dhcpv6data-oobr.out -v -c1
# Same comments apply to the case below.
hncp_dhcpv4data-oobr hncp_dhcpv4data-oobr.pcap hncp_dhcpv4data-oobr.out -v -c1
vqp-oobr vqp-oobr.pcap vqp-oobr.out -v -c1
bgp_pmsi_tunnel-oobr bgp_pmsi_tunnel-oobr.pcap bgp_pmsi_tunnel-oobr.out -v -c1

# bad packets from Katie Holly
mlppp-oobr mlppp-oobr.pcap mlppp-oobr.out
@@ -0,0 +1,11 @@
IP (tos 0x0, ttl 254, id 40207, offset 0, flags [+, DF, rsvd], proto TCP (6), length 296, bad cksum 8e15 (->3eaa)!)
241.0.32.19.179 > 239.0.0.1.0: Flags [none], seq 2146695561:2146695813, win 56026, options [unknown-161,eol], length 252: BGP
Update Message (2), length: 45
Withdrawn routes: 3 bytes
Attribute Set (128), length: 7, Flags [OTPE+f]:
Origin AS: 4067
Origin (1), length: 1EGP
Unknown Attribute (19), length: 1, Flags [+1]:
no Attribute 19 decoder
0x0000: 01
PMSI Tunnel (22), length: 1, Flags [+1]: [|BGP]
Binary file not shown.

0 comments on commit d10a0f9

Please sign in to comment.
You can’t perform that action at this time.