Skip to content

Commit d750527

Browse files
committed
(for 4.9.3) CVE-2018-14882/ICMP6 RPL: Add a missing bounds check
Moreover: Add and use *_tstr[] strings. Update four tests outputs accordingly. Fix a space. Wang Junjie of 360 ESG Codesafe Team had independently identified this vulnerability in 2018 by means of fuzzing and provided the packet capture file for the test.
1 parent e01c9bf commit d750527

8 files changed

+23
-16
lines changed

Diff for: print-icmp6.c

+17-12
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,10 @@
4141
#include "udp.h"
4242
#include "ah.h"
4343

44+
static const char icmp6_tstr[] = " [|icmp6]";
45+
static const char rpl_tstr[] = " [|rpl]";
46+
static const char mldv2_tstr[] = " [|mldv2]";
47+
4448
/* NetBSD: icmp6.h,v 1.13 2000/08/03 16:30:37 itojun Exp */
4549
/* $KAME: icmp6.h,v 1.22 2000/08/03 15:25:16 jinmei Exp $ */
4650

@@ -683,10 +687,11 @@ rpl_dio_printopt(netdissect_options *ndo,
683687
}
684688
opt = (const struct rpl_dio_genoption *)(((const char *)opt) + optlen);
685689
length -= optlen;
690+
ND_TCHECK(opt->rpl_dio_len);
686691
}
687692
return;
688693
trunc:
689-
ND_PRINT((ndo," [|truncated]"));
694+
ND_PRINT((ndo, "%s", rpl_tstr));
690695
return;
691696
}
692697

@@ -715,7 +720,7 @@ rpl_dio_print(netdissect_options *ndo,
715720
}
716721
return;
717722
trunc:
718-
ND_PRINT((ndo," [|truncated]"));
723+
ND_PRINT((ndo, "%s", rpl_tstr));
719724
return;
720725
}
721726

@@ -756,7 +761,7 @@ rpl_dao_print(netdissect_options *ndo,
756761
return;
757762

758763
trunc:
759-
ND_PRINT((ndo," [|truncated]"));
764+
ND_PRINT((ndo, "%s", rpl_tstr));
760765
return;
761766

762767
tooshort:
@@ -800,7 +805,7 @@ rpl_daoack_print(netdissect_options *ndo,
800805
return;
801806

802807
trunc:
803-
ND_PRINT((ndo," [|dao-truncated]"));
808+
ND_PRINT((ndo, "%s", rpl_tstr));
804809
return;
805810

806811
tooshort:
@@ -859,7 +864,7 @@ rpl_print(netdissect_options *ndo,
859864

860865
#if 0
861866
trunc:
862-
ND_PRINT((ndo," [|truncated]"));
867+
ND_PRINT((ndo, "%s", rpl_tstr));
863868
return;
864869
#endif
865870

@@ -1157,7 +1162,7 @@ icmp6_print(netdissect_options *ndo,
11571162
ND_PRINT((ndo,", length %u", length));
11581163
return;
11591164
trunc:
1160-
ND_PRINT((ndo, "[|icmp6]"));
1165+
ND_PRINT((ndo, "%s", icmp6_tstr));
11611166
}
11621167

11631168
static const struct udphdr *
@@ -1381,8 +1386,8 @@ icmp6_opt_print(netdissect_options *ndo, const u_char *bp, int resid)
13811386
}
13821387
return;
13831388

1384-
trunc:
1385-
ND_PRINT((ndo, "[ndp opt]"));
1389+
trunc:
1390+
ND_PRINT((ndo, "%s", icmp6_tstr));
13861391
return;
13871392
#undef ECHECK
13881393
}
@@ -1457,7 +1462,7 @@ mldv2_report_print(netdissect_options *ndo, const u_char *bp, u_int len)
14571462
}
14581463
return;
14591464
trunc:
1460-
ND_PRINT((ndo,"[|icmp6]"));
1465+
ND_PRINT((ndo, "%s", mldv2_tstr));
14611466
return;
14621467
}
14631468

@@ -1523,7 +1528,7 @@ mldv2_query_print(netdissect_options *ndo, const u_char *bp, u_int len)
15231528
ND_PRINT((ndo,"]"));
15241529
return;
15251530
trunc:
1526-
ND_PRINT((ndo,"[|icmp6]"));
1531+
ND_PRINT((ndo, "%s", mldv2_tstr));
15271532
return;
15281533
}
15291534

@@ -1810,7 +1815,7 @@ icmp6_nodeinfo_print(netdissect_options *ndo, u_int icmp6len, const u_char *bp,
18101815
return;
18111816

18121817
trunc:
1813-
ND_PRINT((ndo, "[|icmp6]"));
1818+
ND_PRINT((ndo, "%s", icmp6_tstr));
18141819
}
18151820

18161821
static void
@@ -1945,7 +1950,7 @@ icmp6_rrenum_print(netdissect_options *ndo, const u_char *bp, const u_char *ep)
19451950
return;
19461951

19471952
trunc:
1948-
ND_PRINT((ndo,"[|icmp6]"));
1953+
ND_PRINT((ndo, "%s", icmp6_tstr));
19491954
}
19501955

19511956
/*

Diff for: tests/TESTLIST

+1
Original file line numberDiff line numberDiff line change
@@ -598,6 +598,7 @@ babel_update_oobr babel_update_oobr.pcap babel_update_oobr.out -c 52
598598

599599
# bad packets from Junjie Wang
600600
ospf6_print_lshdr-oobr ospf6_print_lshdr-oobr.pcapng ospf6_print_lshdr-oobr.out -vv -c15
601+
rpl-dao-oobr rpl-dao-oobr.pcapng rpl-dao-oobr.out -vv -c1
601602

602603
# RTP tests
603604
# fuzzed pcap

Diff for: tests/icmp6_mobileprefix_asan.out

+1-1
Original file line numberDiff line numberDiff line change
@@ -1,2 +1,2 @@
1-
IP6 (class 0x50, flowlabel 0x0002c, hlim 0, next-header ICMPv6 (58) payload length: 7168) 4f:f829:c:1a1a:1a1a:1a1a:1a37:0 > 16:0:400:0:64fb:9303:f293:8200: ICMP6, mobile router advertisement, length 7168, id 0x9393[|icmp6]
1+
IP6 (class 0x50, flowlabel 0x0002c, hlim 0, next-header ICMPv6 (58) payload length: 7168) 4f:f829:c:1a1a:1a1a:1a1a:1a37:0 > 16:0:400:0:64fb:9303:f293:8200: ICMP6, mobile router advertisement, length 7168, id 0x9393 [|icmp6]
22
[|ether]

Diff for: tests/icmp6_nodeinfo_oobr.out

+1-1
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
IP6 a072:7f00:1:7f00:1:e01a:17:6785 > c903::a002:8018:fe30:0:204: ICMP6, who-are-you reply[|icmp6], length 4
1+
IP6 a072:7f00:1:7f00:1:e01a:17:6785 > c903::a002:8018:fe30:0:204: ICMP6, who-are-you reply [|icmp6], length 4

Diff for: tests/rpl-19-pickdag.out

+1-1
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
IP6 (hlim 64, next-header ICMPv6 (58) payload length: 56) fe80::216:3eff:fe11:3424 > fe80::216:3eff:fe11:3424: [icmp6 sum ok] ICMP6, RPL, (CLR)Destination Advertisement Object [dagid:5431::,seq:10,instance:42,Dagid,40] opt:rpltarget len:25 opt:pad0 opt:pad0 opt:pad0 opt:pad0 opt:pad0 opt:pad0 opt:pad0
1+
IP6 (hlim 64, next-header ICMPv6 (58) payload length: 56) fe80::216:3eff:fe11:3424 > fe80::216:3eff:fe11:3424: [icmp6 sum ok] ICMP6, RPL, (CLR)Destination Advertisement Object [dagid:5431::,seq:10,instance:42,Dagid,40] opt:rpltarget len:25 opt:pad0 opt:pad0 opt:pad0 opt:pad0 opt:pad0 opt:pad0 [|rpl]

Diff for: tests/rpl-19-pickdagvvv.out

+1-1
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
IP6 (hlim 64, next-header ICMPv6 (58) payload length: 56) fe80::216:3eff:fe11:3424 > fe80::216:3eff:fe11:3424: [icmp6 sum ok] ICMP6, RPL, (CLR)Destination Advertisement Object [dagid:5431::,seq:10,instance:42,Dagid,40] opt:rpltarget len:25 0x0000: 0080 2001 0db8 0001 0000 0216 3eff fe11 0x0010: 3424 0000 0000 00 opt:pad0 opt:pad0 opt:pad0 opt:pad0 opt:pad0 opt:pad0 opt:pad0
1+
IP6 (hlim 64, next-header ICMPv6 (58) payload length: 56) fe80::216:3eff:fe11:3424 > fe80::216:3eff:fe11:3424: [icmp6 sum ok] ICMP6, RPL, (CLR)Destination Advertisement Object [dagid:5431::,seq:10,instance:42,Dagid,40] opt:rpltarget len:25 0x0000: 0080 2001 0db8 0001 0000 0216 3eff fe11 0x0010: 3424 0000 0000 00 opt:pad0 opt:pad0 opt:pad0 opt:pad0 opt:pad0 opt:pad0 [|rpl]

Diff for: tests/rpl-dao-oobr.out

+1
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
IP6 (hlim 64, next-header ICMPv6 (58) payload length: 56) fe80::216:3eff:fe11:3424 > fe80::216:3eff:fe11:3424: ICMP6, RPL, (CLR)Destination Advertisement Object [dagid:<elided>,seq:0,instance:42,00] opt:subopt:13 len:2 opt:subopt:128 len:15 opt:subopt:13 len:15 [|rpl]

Diff for: tests/rpl-dao-oobr.pcapng

264 Bytes
Binary file not shown.

0 commit comments

Comments
 (0)