Skip to content
Permalink
Browse files

CVE-2017-11108/Fix bounds checking for STP.

Check whether the flags are in the captured data before printing them in
an MSTP BPDU.

Check whether V4 length is in the captured data before fetching it.
This fixes a vulnerability discovered by Kamil Frankowicz.

Include a test for the "check whether the V4 length is..." fix, using
the capture supplied by Kamil Frankowicz.
  • Loading branch information...
guyharris authored and infrastation committed Feb 3, 2017
1 parent 1bf91b1 commit d9e65de3d94698ec90dbca42962a30dd2f0680e1
Showing with 4 additions and 0 deletions.
  1. +2 −0 print-stp.c
  2. +1 −0 tests/TESTLIST
  3. +1 −0 tests/stp-v4-length-sigsegv.out
  4. BIN tests/stp-v4-length-sigsegv.pcap
@@ -256,6 +256,7 @@ stp_print_mstp_bpdu(netdissect_options *ndo, const struct stp_bpdu_ *stp_bpdu,
return 1;
}

ND_TCHECK(stp_bpdu->flags);
ND_PRINT((ndo, "\n\tport-role %s, ",
tok2str(rstp_obj_port_role_values, "Unknown",
RSTP_EXTRACT_PORT_ROLE(stp_bpdu->flags))));
@@ -475,6 +476,7 @@ stp_print(netdissect_options *ndo, const u_char *p, u_int length)
if (stp_bpdu->protocol_version == STP_PROTO_SPB)
{
/* Validate v4 length */
ND_TCHECK_16BITS(p + MST_BPDU_VER3_LEN_OFFSET + mstp_len);
spb_len = EXTRACT_16BITS (p + MST_BPDU_VER3_LEN_OFFSET + mstp_len);
spb_len += 2;
if (length < (sizeof(struct stp_bpdu_) + mstp_len + spb_len) ||
@@ -438,6 +438,7 @@ snmp-heapoverflow-1 snmp-heapoverflow-1.pcap snmp-heapoverflow-1.out
snmp-heapoverflow-2 snmp-heapoverflow-2.pcap snmp-heapoverflow-2.out
isoclns-heapoverflow-2 isoclns-heapoverflow-2.pcap isoclns-heapoverflow-2.out -e -c1
isoclns-heapoverflow-3 isoclns-heapoverflow-3.pcap isoclns-heapoverflow-3.out -e -c1
stp-v4-length-sigsegv stp-v4-length-sigsegv.pcap stp-v4-length-sigsegv.out

# RTP tests
# fuzzed pcap
@@ -0,0 +1 @@
STP 802.1aq, Rapid STP, CIST Flags [Learn, Forward], length 808464415[|stp 808464415]
Binary file not shown.

0 comments on commit d9e65de

Please sign in to comment.
You can’t perform that action at this time.