Skip to content

Commit

Permalink
CVE-2017-13022/IP: Add bounds checks to ip_printroute().
Browse files Browse the repository at this point in the history 
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
  • Loading branch information
@guyharris @infrastation
guyharris authored and infrastation committed Sep 13, 2017
1 parent 67c7126 commit eee0b04
Show file tree
Hide file tree
Showing 4 changed files with 13 additions and 3 deletions.
13 changes: 10 additions & 3 deletions print-ip.c
View file
Expand Up @@ -54,7 +54,7 @@ static const struct tok ip_option_values[] = {
/* /*
* print the recorded route in an IP RR, LSRR or SSRR option. * print the recorded route in an IP RR, LSRR or SSRR option.
*/ */
static void static int
ip_printroute(netdissect_options *ndo, ip_printroute(netdissect_options *ndo,
register const u_char *cp, u_int length) register const u_char *cp, u_int length)
{ {
Expand All @@ -63,19 +63,25 @@ ip_printroute(netdissect_options *ndo,


if (length < 3) { if (length < 3) {
ND_PRINT((ndo, " [bad length %u]", length)); ND_PRINT((ndo, " [bad length %u]", length));
return; return (0);
} }
if ((length + 1) & 3) if ((length + 1) & 3)
ND_PRINT((ndo, " [bad length %u]", length)); ND_PRINT((ndo, " [bad length %u]", length));
ND_TCHECK(cp[2]);
ptr = cp[2] - 1; ptr = cp[2] - 1;
if (ptr < 3 || ((ptr + 1) & 3) || ptr > length + 1) if (ptr < 3 || ((ptr + 1) & 3) || ptr > length + 1)
ND_PRINT((ndo, " [bad ptr %u]", cp[2])); ND_PRINT((ndo, " [bad ptr %u]", cp[2]));


for (len = 3; len < length; len += 4) { for (len = 3; len < length; len += 4) {
ND_TCHECK2(cp[len], 4);
ND_PRINT((ndo, " %s", ipaddr_string(ndo, &cp[len]))); ND_PRINT((ndo, " %s", ipaddr_string(ndo, &cp[len])));
if (ptr > len) if (ptr > len)
ND_PRINT((ndo, ",")); ND_PRINT((ndo, ","));
} }
return (0);

trunc:
return (-1);
} }


/* /*
Expand Down Expand Up @@ -278,7 +284,8 @@ ip_optprint(netdissect_options *ndo,
case IPOPT_RR: /* fall through */ case IPOPT_RR: /* fall through */
case IPOPT_SSRR: case IPOPT_SSRR:
case IPOPT_LSRR: case IPOPT_LSRR:
ip_printroute(ndo, cp, option_len); if (ip_printroute(ndo, cp, option_len) == -1)
goto trunc;
break; break;


case IPOPT_RA: case IPOPT_RA:
Expand Down
1 change: 1 addition & 0 deletions tests/TESTLIST
View file
Expand Up @@ -523,6 +523,7 @@ pgm_opts_asan pgm_opts_asan.pcap pgm_opts_asan.out -v
pgm_opts_asan_2 pgm_opts_asan_2.pcap pgm_opts_asan_2.out -v pgm_opts_asan_2 pgm_opts_asan_2.pcap pgm_opts_asan_2.out -v
vtp_asan vtp_asan.pcap vtp_asan.out -v vtp_asan vtp_asan.pcap vtp_asan.out -v
icmp6_mobileprefix_asan icmp6_mobileprefix_asan.pcap icmp6_mobileprefix_asan.out -v icmp6_mobileprefix_asan icmp6_mobileprefix_asan.pcap icmp6_mobileprefix_asan.out -v
ip_printroute_asan ip_printroute_asan.pcap ip_printroute_asan.out -v


# RTP tests # RTP tests
# fuzzed pcap # fuzzed pcap
Expand Down
2 changes: 2 additions & 0 deletions tests/ip_printroute_asan.out
View file
@@ -0,0 +1,2 @@
IP (tos 0x0, ttl 254, id 25615, offset 65480, flags [DF, rsvd], proto UDP (17), length 32768, options (LSRR [bad length 25] [bad ptr 15] 103.103.103.0, 0.172.0.116, 0.16.36.36, 16.0.36.2 14.9.36.4[|ip]))
251.73.86.0 > 0.172.128.5: ip-proto-17
Binary file added tests/ip_printroute_asan.pcap
View file
Binary file not shown.

0 comments on commit eee0b04

Please sign in to comment.