Skip to content

Commit e01c9bf

Browse files
committed
(for 4.9.3) CVE-2018-14880/OSPFv3: Fix a bounds check
Need to test bounds check for the last field of the structure lsa6_hdr. No need to test other fields. Include Security working under the Mozilla SOS program had independently identified this vulnerability in 2018 by means of code audit. Wang Junjie of 360 ESG Codesafe Team had independently identified this vulnerability in 2018 by means of fuzzing and provided the packet capture file for the test.
1 parent 5e0aca0 commit e01c9bf

File tree

4 files changed

+63
-2
lines changed

4 files changed

+63
-2
lines changed

Diff for: print-ospf6.c

+1-2
Original file line numberDiff line numberDiff line change
@@ -389,8 +389,7 @@ ospf6_print_lshdr(netdissect_options *ndo,
389389
{
390390
if ((const u_char *)(lshp + 1) > dataend)
391391
goto trunc;
392-
ND_TCHECK(lshp->ls_type);
393-
ND_TCHECK(lshp->ls_seq);
392+
ND_TCHECK(lshp->ls_length); /* last field of struct lsa6_hdr */
394393

395394
ND_PRINT((ndo, "\n\t Advertising Router %s, seq 0x%08x, age %us, length %u",
396395
ipaddr_string(ndo, &lshp->ls_router),

Diff for: tests/TESTLIST

+3
Original file line numberDiff line numberDiff line change
@@ -596,6 +596,9 @@ icmp6_nodeinfo_oobr icmp6_nodeinfo_oobr.pcap icmp6_nodeinfo_oobr.out
596596
rx_ubik-oobr rx_ubik-oobr.pcap rx_ubik-oobr.out -c1
597597
babel_update_oobr babel_update_oobr.pcap babel_update_oobr.out -c 52
598598

599+
# bad packets from Junjie Wang
600+
ospf6_print_lshdr-oobr ospf6_print_lshdr-oobr.pcapng ospf6_print_lshdr-oobr.out -vv -c15
601+
599602
# RTP tests
600603
# fuzzed pcap
601604
rtp-seg-fault-1 rtp-seg-fault-1.pcap rtp-seg-fault-1.out -v -T rtp

Diff for: tests/ospf6_print_lshdr-oobr.out

+59
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,59 @@
1+
IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 36) fe80::1 > ff02::5: OSPFv3, Hello, length 36
2+
Router-ID 1.1.1.1, Area 0.0.0.1
3+
Options [V6, External, Router]
4+
Hello Timer 10s, Dead Timer 40s, Interface-ID 0.0.0.5, Priority 1
5+
Neighbor List:
6+
IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 36) fe80::1 > ff02::5: OSPFv3, Hello, length 36
7+
Router-ID 1.1.1.1, Area 0.0.0.1
8+
Options [V6, External, Router]
9+
Hello Timer 10s, Dead Timer 40s, Interface-ID 0.0.0.5, Priority 1
10+
Neighbor List:
11+
IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 36) fe80::1 > ff02::5: OSPFv3, Hello, length 36
12+
Router-ID 1.1.1.1, Area 0.0.0.1
13+
Options [V6, External, Router]
14+
Hello Timer 10s, Dead Timer 40s, Interface-ID 0.0.0.5, Priority 1
15+
Neighbor List:
16+
IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 36) fe80::1 > ff02::5: OSPFv3, Hello, length 36
17+
Router-ID 1.1.1.1, Area 0.0.0.1
18+
Options [V6, External, Router]
19+
Hello Timer 10s, Dead Timer 40s, Interface-ID 0.0.0.5, Priority 1
20+
Neighbor List:
21+
IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 36) fe80::2 > ff02::5: OSPFv3, Hello, length 36
22+
Router-ID 2.2.2.2, Area 0.0.0.1
23+
Options [V6, External, Router]
24+
Hello Timer 10s, Dead Timer 40s, Interface-ID 0.0.0.5, Priority 1
25+
Neighbor List:
26+
IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 40) fe80::1 > ff02::5: OSPFv3, Hello, length 40
27+
Router-ID 1.1.1.1, Area 0.0.0.1
28+
Options [V6, External, Router]
29+
Hello Timer 10s, Dead Timer 40s, Interface-ID 0.0.0.5, Priority 1
30+
Designated Router 1.1.1.1
31+
Neighbor List: [|ospf3]
32+
IP6 (class 0xe0, flowlabel 0x00100, hlim 1, next-header OSPF (89) payload length: 28) fe80::2 > fe80::1: OSPFv3, Database Description, length 28
33+
Router-ID 2.2.2.2, Area 0.0.0.1
34+
Options [V6, External, Router], DD Flags [Init, More, Master], MTU 1500, DD-Sequence 0x00001d46
35+
IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 28) fe80::1 > fe80::2: OSPFv3, Database Description, length 28
36+
Router-ID 1.1.1.1, Area 0.0.0.1
37+
Options [V6, External, Router], DD Flags [Init, More, Master], MTU 1500, DD-Sequence 0x0000242c
38+
IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 168) fe80::1 > fe80::2: OSPFv3, Database Description, length 168
39+
Router-ID 1.1.1.1, Area 0.0.0.1
40+
Options [V6, External, Router], DD Flags [More], MTU 1500, DD-Sequence 0x00001d46 [|ospf3]
41+
IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 148) fe80::2 > fe80::1: OSPFv3, Database Description, length 148
42+
Router-ID 2.2.2.2, Area 0.0.0.1
43+
Options [V6, External, Router], DD Flags [More, Master], MTU 1500, DD-Sequence 0x00001d47 [|ospf3]
44+
IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 28) fe80::1 > fe80::2: OSPFv3, Database Description, length 28
45+
Router-ID 1.1.1.1, Area 0.0.0.1
46+
Options [V6, External, Router], DD Flags [none], MTU 1500, DD-Sequence 0x00001d47
47+
IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 100) fe80::2 > fe80::1: OSPFv3, LS-Request, length 100
48+
Router-ID 2.2.2.2, Area 0.0.0.1
49+
Advertising Router 1.1.1.1
50+
Router LSA (1), Area Local Scope, LSA-ID 0.0.0.0 [|ospf3]
51+
IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 88) fe80::1 > fe80::2: OSPFv3, LS-Request, length 88
52+
Router-ID 1.1.1.1, Area 0.0.0.1
53+
Advertising Router 2.2.2.2
54+
Router LSA (1), Area Local Scope, LSA-ID 0.0.0.0 [|ospf3]
55+
IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 28) fe80::2 > fe80::1: OSPFv3, Database Description, length 28
56+
Router-ID 2.2.2.2, Area 0.0.0.1
57+
Options [V6, External, Router], DD Flags [Master], MTU 1500, DD-Sequence 0x00001d48
58+
IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 288) fe80::1 > fe80:0:ff:ffff:f000::2: OSPFv3, LS-Update, length 288
59+
Router-ID 1.1.1.1, Area 0.0.0.1 [|ospf3]

Diff for: tests/ospf6_print_lshdr-oobr.pcapng

5.36 KB
Binary file not shown.

0 commit comments

Comments
 (0)