Skip to content

Commit db24063

Browse files
guyharrisinfrastation
authored andcommitted
CVE-2017-12989/RESP: Make sure resp_get_length() advances the pointer for invalid lengths.
Make sure that it always sends *endp before returning and that, for invalid lengths where we don't like a character in the length string, what it sets *endp to is past the character in question, so we don't run the risk of infinitely looping (or doing something else random) if a character in the length is invalid. This fixes an infinite loop discovered by Forcepoint's security researchers Otto Airamo & Antti Levomäki. Add a test using the capture file supplied by the reporter(s).
1 parent 2ecb9d2 commit db24063

File tree

4 files changed

+14
-3
lines changed

4 files changed

+14
-3
lines changed

Diff for: print-resp.c

+11-3
Original file line numberDiff line numberDiff line change
@@ -481,8 +481,10 @@ resp_get_length(netdissect_options *ndo, register const u_char *bp, int len, con
481481
ND_TCHECK(*bp);
482482
c = *bp;
483483
if (!(c >= '0' && c <= '9')) {
484-
if (!saw_digit)
484+
if (!saw_digit) {
485+
bp++;
485486
goto invalid;
487+
}
486488
break;
487489
}
488490
c -= '0';
@@ -510,15 +512,19 @@ resp_get_length(netdissect_options *ndo, register const u_char *bp, int len, con
510512
if (len == 0)
511513
goto trunc;
512514
ND_TCHECK(*bp);
513-
if (*bp != '\r')
515+
if (*bp != '\r') {
516+
bp++;
514517
goto invalid;
518+
}
515519
bp++;
516520
len--;
517521
if (len == 0)
518522
goto trunc;
519523
ND_TCHECK(*bp);
520-
if (*bp != '\n')
524+
if (*bp != '\n') {
525+
bp++;
521526
goto invalid;
527+
}
522528
bp++;
523529
len--;
524530
*endp = bp;
@@ -531,8 +537,10 @@ resp_get_length(netdissect_options *ndo, register const u_char *bp, int len, con
531537
return (too_large ? -3 : result);
532538

533539
trunc:
540+
*endp = bp;
534541
return (-2);
535542

536543
invalid:
544+
*endp = bp;
537545
return (-5);
538546
}

Diff for: tests/TESTLIST

+1
Original file line numberDiff line numberDiff line change
@@ -468,6 +468,7 @@ zephyr-oobr zephyr-oobr.pcap zephyr-oobr.out -vvv -e
468468
bgp-as-path-oobr bgp-as-path-oobr.pcap bgp-as-path-oobr.out -vvv -e
469469
isakmp-no-none-np isakmp-no-none-np.pcap isakmp-no-none-np.out -vvv -e
470470
telnet-iac-check-oobr telnet-iac-check-oobr.pcap telnet-iac-check-oobr.out -vvv -e
471+
resp_4_infiniteloop resp_4_infiniteloop.pcap resp_4_infiniteloop.out -vvv -e
471472

472473
# RTP tests
473474
# fuzzed pcap

Diff for: tests/resp_4_infiniteloop.out

+2
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
00:50:56:b4:08:69 > 00:50:56:b4:4c:2a, ethertype IPv4 (0x0800), length 920: (tos 0x0, ttl 64, id 27576, offset 0, flags [DF], proto TCP (6), length 906)
2+
172.16.8.77.33926 > 172.16.8.149.6379: Flags [P.], cksum 0xa129 (incorrect -> 0xaaa0), seq 3839414413:3839415267, ack 2526552240, win 229, options [nop,nop,TS val 2407226 ecr 24894817], length 854: RESP length negative and not -1 invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid "4" "EVAL" invalid invalid invalid invalid "GKMbNZq^@0" "stuubt.pack('<ivdMFG4294967245',^V ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''319', 2',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',', '-1494241318543828858')'L')N))'r')')~D')')E)')')')')')')')'l')')')')')'M-`'o')')'Pp)U)" invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid invalid "1" [|RESP]

Diff for: tests/resp_4_infiniteloop.pcap

1.01 KB
Binary file not shown.

0 commit comments

Comments
 (0)