Skip to content
Permalink
Browse files Browse the repository at this point in the history
CVE-2017-13041/ICMP6: Add more bounds checks.
This fixes a buffer over-read discovered by Kim Gwan Yeong.

Add a test using the capture file supplied by the reporter(s).
  • Loading branch information
guyharris authored and infrastation committed Sep 13, 2017
1 parent 4c3aee4 commit f4b9e24
Show file tree
Hide file tree
Showing 4 changed files with 4 additions and 0 deletions.
2 changes: 2 additions & 0 deletions print-icmp6.c
Expand Up @@ -1699,6 +1699,7 @@ icmp6_nodeinfo_print(netdissect_options *ndo, u_int icmp6len, const u_char *bp,

needcomma = 0;

ND_TCHECK2(*dp, sizeof(*ni6));
ni6 = (const struct icmp6_nodeinfo *)dp;
ND_PRINT((ndo," node information reply"));
ND_PRINT((ndo," (")); /*)*/
Expand Down Expand Up @@ -1753,6 +1754,7 @@ icmp6_nodeinfo_print(netdissect_options *ndo, u_int icmp6len, const u_char *bp,
ND_PRINT((ndo,", "));
ND_PRINT((ndo,"DNS name"));
cp = (const u_char *)(ni6 + 1) + 4;
ND_TCHECK(cp[0]);
if (cp[0] == ep - cp - 1) {
/* icmp-name-lookup-03, pascal string */
if (ndo->ndo_vflag)
Expand Down
1 change: 1 addition & 0 deletions tests/TESTLIST
Expand Up @@ -560,6 +560,7 @@ mlppp-oobr mlppp-oobr.pcap mlppp-oobr.out

# bad packets from Kim Gwan Yeong
mptcp-dss-oobr mptcp-dss-oobr.pcap mptcp-dss-oobr.out -v
icmp6_nodeinfo_oobr icmp6_nodeinfo_oobr.pcap icmp6_nodeinfo_oobr.out

# RTP tests
# fuzzed pcap
Expand Down
1 change: 1 addition & 0 deletions tests/icmp6_nodeinfo_oobr.out
@@ -0,0 +1 @@
IP6 a072:7f00:1:7f00:1:e01a:17:6785 > c903::a002:8018:fe30:0:204: ICMP6, who-are-you reply[|icmp6], length 4
Binary file added tests/icmp6_nodeinfo_oobr.pcap
Binary file not shown.

0 comments on commit f4b9e24

Please sign in to comment.