Skip to content

Commit d97e942

Browse files
committed
(for 4.9.3) CVE-2018-14464/LMP: Add a missing bounds check
In lmp_print_data_link_subobjs(). This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s).
1 parent a152aeb commit d97e942

4 files changed

+39
-4
lines changed

Diff for: print-lmp.c

+16-4
Original file line numberDiff line numberDiff line change
@@ -399,6 +399,7 @@ lmp_print_data_link_subobjs(netdissect_options *ndo, const u_char *obj_tptr,
399399
"Unknown",
400400
EXTRACT_8BITS(obj_tptr + offset + 3)),
401401
EXTRACT_8BITS(obj_tptr + offset + 3)));
402+
ND_TCHECK_32BITS(obj_tptr + offset + 4);
402403
bw.i = EXTRACT_32BITS(obj_tptr+offset+4);
403404
ND_PRINT((ndo, "\n\t Min Reservable Bandwidth: %.3f Mbps",
404405
bw.f*8/1000000));
@@ -419,6 +420,8 @@ lmp_print_data_link_subobjs(netdissect_options *ndo, const u_char *obj_tptr,
419420
offset+=subobj_len;
420421
}
421422
return (hexdump);
423+
trunc:
424+
return -1;
422425
}
423426

424427
void
@@ -429,7 +432,7 @@ lmp_print(netdissect_options *ndo,
429432
const struct lmp_object_header *lmp_obj_header;
430433
const u_char *tptr,*obj_tptr;
431434
u_int tlen,lmp_obj_len,lmp_obj_ctype,obj_tlen;
432-
int hexdump;
435+
int hexdump, ret;
433436
u_int offset;
434437
u_int link_type;
435438

@@ -731,7 +734,10 @@ lmp_print(netdissect_options *ndo,
731734
ipaddr_string(ndo, obj_tptr+8),
732735
EXTRACT_32BITS(obj_tptr+8)));
733736

734-
if (lmp_print_data_link_subobjs(ndo, obj_tptr, obj_tlen - 12, 12))
737+
ret = lmp_print_data_link_subobjs(ndo, obj_tptr, obj_tlen - 12, 12);
738+
if (ret == -1)
739+
goto trunc;
740+
if (ret == TRUE)
735741
hexdump=TRUE;
736742
break;
737743

@@ -751,7 +757,10 @@ lmp_print(netdissect_options *ndo,
751757
ip6addr_string(ndo, obj_tptr+20),
752758
EXTRACT_32BITS(obj_tptr+20)));
753759

754-
if (lmp_print_data_link_subobjs(ndo, obj_tptr, obj_tlen - 36, 36))
760+
ret = lmp_print_data_link_subobjs(ndo, obj_tptr, obj_tlen - 36, 36);
761+
if (ret == -1)
762+
goto trunc;
763+
if (ret == TRUE)
755764
hexdump=TRUE;
756765
break;
757766

@@ -771,7 +780,10 @@ lmp_print(netdissect_options *ndo,
771780
EXTRACT_32BITS(obj_tptr+8),
772781
EXTRACT_32BITS(obj_tptr+8)));
773782

774-
if (lmp_print_data_link_subobjs(ndo, obj_tptr, obj_tlen - 12, 12))
783+
ret = lmp_print_data_link_subobjs(ndo, obj_tptr, obj_tlen - 12, 12);
784+
if (ret == -1)
785+
goto trunc;
786+
if (ret == TRUE)
775787
hexdump=TRUE;
776788
break;
777789

Diff for: tests/TESTLIST

+1
Original file line numberDiff line numberDiff line change
@@ -560,6 +560,7 @@ vrrp-vrrp_print-oobr vrrp-vrrp_print-oobr.pcap vrrp-vrrp_print-oobr.out -v -c3
560560
vrrp-vrrp_print-oobr-2 vrrp-vrrp_print-oobr-2.pcap vrrp-vrrp_print-oobr-2.out -v
561561
bgp-bgp_capabilities_print-oobr-1 bgp-bgp_capabilities_print-oobr-1.pcap bgp-bgp_capabilities_print-oobr-1.out -v -c1
562562
bgp-bgp_capabilities_print-oobr-2 bgp-bgp_capabilities_print-oobr-2.pcap bgp-bgp_capabilities_print-oobr-2.out -v -c1
563+
lmp-lmp_print_data_link_subobjs-oobr lmp-lmp_print_data_link_subobjs-oobr.pcap lmp-lmp_print_data_link_subobjs-oobr.out -v -c2
563564
# The .pcap file is truncated after the 1st packet.
564565
hncp_dhcpv6data-oobr hncp_dhcpv6data-oobr.pcap hncp_dhcpv6data-oobr.out -v -c1
565566
hncp_dhcpv4data-oobr hncp_dhcpv4data-oobr.pcap hncp_dhcpv4data-oobr.out -v -c1

Diff for: tests/lmp-lmp_print_data_link_subobjs-oobr.out

+22
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
IP (tos 0xfd,ECT(1), ttl 254, id 45839, offset 0, flags [+, DF, rsvd], proto UDP (17), length 56871, bad cksum fe07 (->ddf0)!)
2+
17.8.8.255.701 > 40.184.42.8.12:
3+
LMPv1, msg-type: unknown, type: 249, Flags: [none], length: 212
4+
Data Link Object (12), Class-Type: Unnumbered (3) Flags: [non-negotiable], length: 20
5+
Flags: [none]
6+
Local Interface ID: 2435832538 (0x912fdada)
7+
Remote Interface ID: 3657433088 (0xda000000)
8+
Subobject, Type: Interface Switching Type (1), Length: 4
9+
Switching Type: Unknown (0)
10+
Encoding Type: Unknown (0)
11+
packet exceeded snapshot
12+
IP (tos 0xfd,ECT(1), ttl 254, id 45839, offset 0, flags [+, DF, rsvd], proto UDP (17), length 56871, bad cksum fe07 (->ddf0)!)
13+
17.8.8.255.701 > 40.184.42.8.12:
14+
LMPv1, msg-type: unknown, type: 249, Flags: [none], length: 212
15+
Data Link Object (12), Class-Type: Unnumbered (3) Flags: [non-negotiable], length: 20
16+
Flags: [none]
17+
Local Interface ID: 2435832538 (0x912fdada)
18+
Remote Interface ID: 3657433088 (0xda000000)
19+
Subobject, Type: Interface Switching Type (1), Length: 4
20+
Switching Type: Unknown (0)
21+
Encoding Type: Unknown (0)
22+
packet exceeded snapshot

Diff for: tests/lmp-lmp_print_data_link_subobjs-oobr.pcap

11.3 KB
Binary file not shown.

0 commit comments

Comments
 (0)