Skip to content

Commit e6511cc

Browse files
committed
CVE-2017-13054/LLDP: add a missing length check
In lldp_private_8023_print() the case block for subtype 4 (Maximum Frame Size TLV, IEEE 802.3bc-2009 Section 79.3.4) did not include the length check and could over-read the input buffer, put it right. This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s).
1 parent 83c64fc commit e6511cc

File tree

4 files changed

+8
-0
lines changed

4 files changed

+8
-0
lines changed

Diff for: print-lldp.c

+3
Original file line numberDiff line numberDiff line change
@@ -898,6 +898,9 @@ lldp_private_8023_print(netdissect_options *ndo,
898898
break;
899899

900900
case LLDP_PRIVATE_8023_SUBTYPE_MTU:
901+
if (tlv_len < 6) {
902+
return hexdump;
903+
}
901904
ND_PRINT((ndo, "\n\t MTU size %u", EXTRACT_16BITS(tptr + 4)));
902905
break;
903906

Diff for: tests/TESTLIST

+1
Original file line numberDiff line numberDiff line change
@@ -571,6 +571,7 @@ rsvp_uni-oobr-1 rsvp_uni-oobr-1.pcap rsvp_uni-oobr-1.out -v -c1
571571
rsvp_uni-oobr-2 rsvp_uni-oobr-2.pcap rsvp_uni-oobr-2.out -v -c1
572572
rsvp_uni-oobr-3 rsvp_uni-oobr-3.pcap rsvp_uni-oobr-3.out -v -c3
573573
rpki-rtr-oob rpki-rtr-oob.pcap rpki-rtr-oob.out -v -c1
574+
lldp_8023_mtu-oobr lldp_8023_mtu-oobr.pcap lldp_8023_mtu-oobr.out -v -c1
574575

575576
# bad packets from Katie Holly
576577
mlppp-oobr mlppp-oobr.pcap mlppp-oobr.out

Diff for: tests/lldp_8023_mtu-oobr.out

+4
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
LLDP, length 4293194266
2+
Organization specific TLV (127), length 4: OUI IEEE 802.3 Private (0x00120f)
3+
Max frame size Subtype (4)
4+
[|LLDP]

Diff for: tests/lldp_8023_mtu-oobr.pcap

147 Bytes
Binary file not shown.

0 commit comments

Comments
 (0)