Skip to content

Commit da6f1a6

Browse files
guyharrisinfrastation
authored andcommitted
CVE-2017-13034/PGM: Add a bounds check.
This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s), modified so the capture file won't be rejected as an invalid capture. Move a return to make the code a bit cleaner (i.e., make it more obvious that if we don't have enough of the PGM header, we just print the source and destination IP addresses, mark it as incomplete PGM, and don't try to look at the PGM header).
1 parent fe5ad99 commit da6f1a6

File tree

4 files changed

+5
-2
lines changed

4 files changed

+5
-2
lines changed

Diff for: print-pgm.c

+2-2
Original file line numberDiff line numberDiff line change
@@ -169,13 +169,12 @@ pgm_print(netdissect_options *ndo,
169169
ND_PRINT((ndo, "%s > %s: [|pgm]",
170170
ip6addr_string(ndo, &ip6->ip6_src),
171171
ip6addr_string(ndo, &ip6->ip6_dst)));
172-
return;
173172
} else {
174173
ND_PRINT((ndo, "%s > %s: [|pgm]",
175174
ipaddr_string(ndo, &ip->ip_src),
176175
ipaddr_string(ndo, &ip->ip_dst)));
177-
return;
178176
}
177+
return;
179178
}
180179

181180
sport = EXTRACT_16BITS(&pgm->pgm_sport);
@@ -362,6 +361,7 @@ pgm_print(netdissect_options *ndo,
362361
* and stopping if we don't have enough.
363362
*/
364363
bp += (2 * sizeof(uint16_t));
364+
ND_TCHECK_16BITS(bp);
365365
switch (EXTRACT_16BITS(bp)) {
366366
case AFNUM_INET:
367367
ND_TCHECK2(*bp, sizeof(struct in_addr));

Diff for: tests/TESTLIST

+1
Original file line numberDiff line numberDiff line change
@@ -522,6 +522,7 @@ dhcp6_reconf_asan dhcp6_reconf_asan.pcap dhcp6_reconf_asan.out -v
522522
pgm_opts_asan pgm_opts_asan.pcap pgm_opts_asan.out -v
523523
pgm_opts_asan_2 pgm_opts_asan_2.pcap pgm_opts_asan_2.out -v
524524
pgm_opts_asan_3 pgm_opts_asan_3.pcap pgm_opts_asan_3.out -v
525+
pgm_group_addr_asan pgm_group_addr_asan.pcap pgm_group_addr_asan.out -v
525526
vtp_asan vtp_asan.pcap vtp_asan.out -v
526527
vtp_asan-2 vtp_asan-2.pcap vtp_asan-2.out -v
527528
vtp_asan-3 vtp_asan-3.pcap vtp_asan-3.out -v

Diff for: tests/pgm_group_addr_asan.out

+2
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
IP (tos 0x41,ECT(1), id 40256, offset 0, flags [none], proto PGM (113), length 768, options (unknown 89 [bad length 232]), bad cksum 5959 (->5afd)!)
2+
89.121.89.107 > 89.89.89.89: 89.121.89.107.32322 > 89.89.89.89.500: PGM, length 24818 0x00ff7f010347 [|pgm]

Diff for: tests/pgm_group_addr_asan.pcap

111 Bytes
Binary file not shown.

0 commit comments

Comments
 (0)