Skip to content
Permalink
Browse files

CVE-2017-13054/LLDP: add a missing length check

In lldp_private_8023_print() the case block for subtype 4 (Maximum Frame
Size TLV, IEEE 802.3bc-2009 Section 79.3.4) did not include the length
check and could over-read the input buffer, put it right.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s).
  • Loading branch information...
infrastation committed Aug 9, 2017
1 parent 83c64fc commit e6511cc1a950fe1566b2236329d6b4bd0826cc7a
Showing with 8 additions and 0 deletions.
  1. +3 −0 print-lldp.c
  2. +1 −0 tests/TESTLIST
  3. +4 −0 tests/lldp_8023_mtu-oobr.out
  4. BIN tests/lldp_8023_mtu-oobr.pcap
@@ -898,6 +898,9 @@ lldp_private_8023_print(netdissect_options *ndo,
break;

case LLDP_PRIVATE_8023_SUBTYPE_MTU:
if (tlv_len < 6) {
return hexdump;
}
ND_PRINT((ndo, "\n\t MTU size %u", EXTRACT_16BITS(tptr + 4)));
break;

@@ -571,6 +571,7 @@ rsvp_uni-oobr-1 rsvp_uni-oobr-1.pcap rsvp_uni-oobr-1.out -v -c1
rsvp_uni-oobr-2 rsvp_uni-oobr-2.pcap rsvp_uni-oobr-2.out -v -c1
rsvp_uni-oobr-3 rsvp_uni-oobr-3.pcap rsvp_uni-oobr-3.out -v -c3
rpki-rtr-oob rpki-rtr-oob.pcap rpki-rtr-oob.out -v -c1
lldp_8023_mtu-oobr lldp_8023_mtu-oobr.pcap lldp_8023_mtu-oobr.out -v -c1

# bad packets from Katie Holly
mlppp-oobr mlppp-oobr.pcap mlppp-oobr.out
@@ -0,0 +1,4 @@
LLDP, length 4293194266
Organization specific TLV (127), length 4: OUI IEEE 802.3 Private (0x00120f)
Max frame size Subtype (4)
[|LLDP]
Binary file not shown.

0 comments on commit e6511cc

Please sign in to comment.
You can’t perform that action at this time.