Skip to content

Commit d10a0f9

Browse files
committed
CVE-2017-13046/BGP: fix an existing bounds check for PMSI Tunnel
This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s).
1 parent 3b36ec4 commit d10a0f9

File tree

4 files changed

+13
-1
lines changed

4 files changed

+13
-1
lines changed

Diff for: print-bgp.c

+1-1
Original file line numberDiff line numberDiff line change
@@ -2123,11 +2123,11 @@ bgp_attr_print(netdissect_options *ndo,
21232123
{
21242124
uint8_t tunnel_type, flags;
21252125

2126+
ND_TCHECK2(tptr[0], 5);
21262127
tunnel_type = *(tptr+1);
21272128
flags = *tptr;
21282129
tlen = len;
21292130

2130-
ND_TCHECK2(tptr[0], 5);
21312131
ND_PRINT((ndo, "\n\t Tunnel-type %s (%u), Flags [%s], MPLS Label %u",
21322132
tok2str(bgp_pmsi_tunnel_values, "Unknown", tunnel_type),
21332133
tunnel_type,

Diff for: tests/TESTLIST

+1
Original file line numberDiff line numberDiff line change
@@ -563,6 +563,7 @@ hncp_dhcpv6data-oobr hncp_dhcpv6data-oobr.pcap hncp_dhcpv6data-oobr.out -v -c1
563563
# Same comments apply to the case below.
564564
hncp_dhcpv4data-oobr hncp_dhcpv4data-oobr.pcap hncp_dhcpv4data-oobr.out -v -c1
565565
vqp-oobr vqp-oobr.pcap vqp-oobr.out -v -c1
566+
bgp_pmsi_tunnel-oobr bgp_pmsi_tunnel-oobr.pcap bgp_pmsi_tunnel-oobr.out -v -c1
566567

567568
# bad packets from Katie Holly
568569
mlppp-oobr mlppp-oobr.pcap mlppp-oobr.out

Diff for: tests/bgp_pmsi_tunnel-oobr.out

+11
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
IP (tos 0x0, ttl 254, id 40207, offset 0, flags [+, DF, rsvd], proto TCP (6), length 296, bad cksum 8e15 (->3eaa)!)
2+
241.0.32.19.179 > 239.0.0.1.0: Flags [none], seq 2146695561:2146695813, win 56026, options [unknown-161,eol], length 252: BGP
3+
Update Message (2), length: 45
4+
Withdrawn routes: 3 bytes
5+
Attribute Set (128), length: 7, Flags [OTPE+f]:
6+
Origin AS: 4067
7+
Origin (1), length: 1EGP
8+
Unknown Attribute (19), length: 1, Flags [+1]:
9+
no Attribute 19 decoder
10+
0x0000: 01
11+
PMSI Tunnel (22), length: 1, Flags [+1]: [|BGP]

Diff for: tests/bgp_pmsi_tunnel-oobr.pcap

968 Bytes
Binary file not shown.

0 commit comments

Comments
 (0)