Skip to content

Commit eee0b04

Browse files
guyharrisinfrastation
authored andcommitted
CVE-2017-13022/IP: Add bounds checks to ip_printroute().
This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s), modified so the capture file won't be rejected as an invalid capture.
1 parent 67c7126 commit eee0b04

File tree

4 files changed

+13
-3
lines changed

4 files changed

+13
-3
lines changed

Diff for: print-ip.c

+10-3
Original file line numberDiff line numberDiff line change
@@ -54,7 +54,7 @@ static const struct tok ip_option_values[] = {
5454
/*
5555
* print the recorded route in an IP RR, LSRR or SSRR option.
5656
*/
57-
static void
57+
static int
5858
ip_printroute(netdissect_options *ndo,
5959
register const u_char *cp, u_int length)
6060
{
@@ -63,19 +63,25 @@ ip_printroute(netdissect_options *ndo,
6363

6464
if (length < 3) {
6565
ND_PRINT((ndo, " [bad length %u]", length));
66-
return;
66+
return (0);
6767
}
6868
if ((length + 1) & 3)
6969
ND_PRINT((ndo, " [bad length %u]", length));
70+
ND_TCHECK(cp[2]);
7071
ptr = cp[2] - 1;
7172
if (ptr < 3 || ((ptr + 1) & 3) || ptr > length + 1)
7273
ND_PRINT((ndo, " [bad ptr %u]", cp[2]));
7374

7475
for (len = 3; len < length; len += 4) {
76+
ND_TCHECK2(cp[len], 4);
7577
ND_PRINT((ndo, " %s", ipaddr_string(ndo, &cp[len])));
7678
if (ptr > len)
7779
ND_PRINT((ndo, ","));
7880
}
81+
return (0);
82+
83+
trunc:
84+
return (-1);
7985
}
8086

8187
/*
@@ -278,7 +284,8 @@ ip_optprint(netdissect_options *ndo,
278284
case IPOPT_RR: /* fall through */
279285
case IPOPT_SSRR:
280286
case IPOPT_LSRR:
281-
ip_printroute(ndo, cp, option_len);
287+
if (ip_printroute(ndo, cp, option_len) == -1)
288+
goto trunc;
282289
break;
283290

284291
case IPOPT_RA:

Diff for: tests/TESTLIST

+1
Original file line numberDiff line numberDiff line change
@@ -523,6 +523,7 @@ pgm_opts_asan pgm_opts_asan.pcap pgm_opts_asan.out -v
523523
pgm_opts_asan_2 pgm_opts_asan_2.pcap pgm_opts_asan_2.out -v
524524
vtp_asan vtp_asan.pcap vtp_asan.out -v
525525
icmp6_mobileprefix_asan icmp6_mobileprefix_asan.pcap icmp6_mobileprefix_asan.out -v
526+
ip_printroute_asan ip_printroute_asan.pcap ip_printroute_asan.out -v
526527

527528
# RTP tests
528529
# fuzzed pcap

Diff for: tests/ip_printroute_asan.out

+2
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
IP (tos 0x0, ttl 254, id 25615, offset 65480, flags [DF, rsvd], proto UDP (17), length 32768, options (LSRR [bad length 25] [bad ptr 15] 103.103.103.0, 0.172.0.116, 0.16.36.36, 16.0.36.2 14.9.36.4[|ip]))
2+
251.73.86.0 > 0.172.128.5: ip-proto-17

Diff for: tests/ip_printroute_asan.pcap

100 Bytes
Binary file not shown.

0 commit comments

Comments
 (0)