Skip to content
Permalink
Browse files

CVE-2017-13041/ICMP6: Add more bounds checks.

This fixes a buffer over-read discovered by Kim Gwan Yeong.

Add a test using the capture file supplied by the reporter(s).
  • Loading branch information...
guyharris authored and infrastation committed Jun 13, 2017
1 parent 4c3aee4 commit f4b9e24c7384d882a7f434cc7413925bf871d63e
Showing with 4 additions and 0 deletions.
  1. +2 −0 print-icmp6.c
  2. +1 −0 tests/TESTLIST
  3. +1 −0 tests/icmp6_nodeinfo_oobr.out
  4. BIN tests/icmp6_nodeinfo_oobr.pcap
@@ -1699,6 +1699,7 @@ icmp6_nodeinfo_print(netdissect_options *ndo, u_int icmp6len, const u_char *bp,

needcomma = 0;

ND_TCHECK2(*dp, sizeof(*ni6));
ni6 = (const struct icmp6_nodeinfo *)dp;
ND_PRINT((ndo," node information reply"));
ND_PRINT((ndo," (")); /*)*/
@@ -1753,6 +1754,7 @@ icmp6_nodeinfo_print(netdissect_options *ndo, u_int icmp6len, const u_char *bp,
ND_PRINT((ndo,", "));
ND_PRINT((ndo,"DNS name"));
cp = (const u_char *)(ni6 + 1) + 4;
ND_TCHECK(cp[0]);
if (cp[0] == ep - cp - 1) {
/* icmp-name-lookup-03, pascal string */
if (ndo->ndo_vflag)
@@ -560,6 +560,7 @@ mlppp-oobr mlppp-oobr.pcap mlppp-oobr.out

# bad packets from Kim Gwan Yeong
mptcp-dss-oobr mptcp-dss-oobr.pcap mptcp-dss-oobr.out -v
icmp6_nodeinfo_oobr icmp6_nodeinfo_oobr.pcap icmp6_nodeinfo_oobr.out

# RTP tests
# fuzzed pcap
@@ -0,0 +1 @@
IP6 a072:7f00:1:7f00:1:e01a:17:6785 > c903::a002:8018:fe30:0:204: ICMP6, who-are-you reply[|icmp6], length 4
Binary file not shown.

0 comments on commit f4b9e24

Please sign in to comment.
You can’t perform that action at this time.