Skip to content
Permalink
Browse files Browse the repository at this point in the history
CVE-2017-13054/LLDP: add a missing length check
In lldp_private_8023_print() the case block for subtype 4 (Maximum Frame
Size TLV, IEEE 802.3bc-2009 Section 79.3.4) did not include the length
check and could over-read the input buffer, put it right.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s).
  • Loading branch information
infrastation committed Sep 13, 2017
1 parent 83c64fc commit e6511cc
Show file tree
Hide file tree
Showing 4 changed files with 8 additions and 0 deletions.
3 changes: 3 additions & 0 deletions print-lldp.c
Expand Up @@ -898,6 +898,9 @@ lldp_private_8023_print(netdissect_options *ndo,
break;

case LLDP_PRIVATE_8023_SUBTYPE_MTU:
if (tlv_len < 6) {
return hexdump;
}
ND_PRINT((ndo, "\n\t MTU size %u", EXTRACT_16BITS(tptr + 4)));
break;

Expand Down
1 change: 1 addition & 0 deletions tests/TESTLIST
Expand Up @@ -571,6 +571,7 @@ rsvp_uni-oobr-1 rsvp_uni-oobr-1.pcap rsvp_uni-oobr-1.out -v -c1
rsvp_uni-oobr-2 rsvp_uni-oobr-2.pcap rsvp_uni-oobr-2.out -v -c1
rsvp_uni-oobr-3 rsvp_uni-oobr-3.pcap rsvp_uni-oobr-3.out -v -c3
rpki-rtr-oob rpki-rtr-oob.pcap rpki-rtr-oob.out -v -c1
lldp_8023_mtu-oobr lldp_8023_mtu-oobr.pcap lldp_8023_mtu-oobr.out -v -c1

# bad packets from Katie Holly
mlppp-oobr mlppp-oobr.pcap mlppp-oobr.out
Expand Down
4 changes: 4 additions & 0 deletions tests/lldp_8023_mtu-oobr.out
@@ -0,0 +1,4 @@
LLDP, length 4293194266
Organization specific TLV (127), length 4: OUI IEEE 802.3 Private (0x00120f)
Max frame size Subtype (4)
[|LLDP]
Binary file added tests/lldp_8023_mtu-oobr.pcap
Binary file not shown.

0 comments on commit e6511cc

Please sign in to comment.