Skip to content

Commit ffde45a

Browse files
guyharrisinfrastation
authored andcommitted
CVE-2017-12994/BGP: Move a test inside a loop.
The loop can be executed more than once (that's kinda the whole point of a loop), so the check has to be made each time through the loop, not just once before the loop is executed. Do some additional length checks while we're at it. This fixes a buffer over-read discovered by Forcepoint's security researchers Otto Airamo & Antti Levomäki. Add a test using the capture file supplied by the reporter(s).
1 parent 6ec0c6f commit ffde45a

File tree

4 files changed

+10149
-6
lines changed

4 files changed

+10149
-6
lines changed

Diff for: print-bgp.c

+13-6
Original file line numberDiff line numberDiff line change
@@ -2182,35 +2182,42 @@ bgp_attr_print(netdissect_options *ndo,
21822182
uint8_t type;
21832183
uint16_t length;
21842184

2185-
ND_TCHECK2(tptr[0], 3);
2186-
21872185
tlen = len;
21882186

21892187
while (tlen >= 3) {
21902188

2189+
ND_TCHECK2(tptr[0], 3);
2190+
21912191
type = *tptr;
21922192
length = EXTRACT_16BITS(tptr+1);
2193+
tptr += 3;
2194+
tlen -= 3;
21932195

21942196
ND_PRINT((ndo, "\n\t %s TLV (%u), length %u",
21952197
tok2str(bgp_aigp_values, "Unknown", type),
21962198
type, length));
21972199

2200+
if (length < 3)
2201+
goto trunc;
2202+
length -= 3;
2203+
21982204
/*
21992205
* Check if we can read the TLV data.
22002206
*/
2201-
ND_TCHECK2(tptr[3], length - 3);
2207+
ND_TCHECK2(tptr[3], length);
22022208

22032209
switch (type) {
22042210

22052211
case BGP_AIGP_TLV:
2206-
ND_TCHECK2(tptr[3], 8);
2212+
if (length < 8)
2213+
goto trunc;
22072214
ND_PRINT((ndo, ", metric %" PRIu64,
2208-
EXTRACT_64BITS(tptr+3)));
2215+
EXTRACT_64BITS(tptr)));
22092216
break;
22102217

22112218
default:
22122219
if (ndo->ndo_vflag <= 1) {
2213-
print_unknown_data(ndo, tptr+3,"\n\t ", length-3);
2220+
print_unknown_data(ndo, tptr,"\n\t ", length);
22142221
}
22152222
}
22162223

Diff for: tests/TESTLIST

+1
Original file line numberDiff line numberDiff line change
@@ -473,6 +473,7 @@ zephyr-oobr zephyr-oobr.pcap zephyr-oobr.out -vvv -e
473473
isakmp-no-none-np isakmp-no-none-np.pcap isakmp-no-none-np.out -vvv -e
474474
telnet-iac-check-oobr telnet-iac-check-oobr.pcap telnet-iac-check-oobr.out -vvv -e
475475
resp_4_infiniteloop resp_4_infiniteloop.pcap resp_4_infiniteloop.out -vvv -e
476+
bgp-aigp-oobr bgp-aigp-oobr.pcap bgp-aigp-oobr.out -vvv -e
476477

477478
# RTP tests
478479
# fuzzed pcap

0 commit comments

Comments
 (0)