(for 4.9.3) CVE-2018-14462/ICMP: Add a missing bounds check

In icmp_print(). This fixes a buffer over-read discovered by Bhargava Shastry. Add two tests using the capture files supplied by the reporter(s).
2024-12-11 10:54:21 +08:00 · 2017-10-08 12:06:56 +02:00 · 2017-10-08 12:06:56 +02:00 · 1a1bce0526
commit 1a1bce0526
parent e5ec0d6b59
6 changed files with 15 additions and 0 deletions
--- a/print-icmp.c
+++ b/print-icmp.c
@ -564,6 +564,7 @@ icmp_print(netdissect_options *ndo, const u_char *bp, u_int plen, const u_char *
 			vec[0].len = plen;
 			sum = in_cksum(vec, 1);
 			if (sum != 0) {
+				ND_TCHECK_16BITS(&dp->icmp_cksum);
 				uint16_t icmp_sum = EXTRACT_16BITS(&dp->icmp_cksum);
 				ND_PRINT((ndo, " (wrong icmp cksum %x (->%x)!)",
 					     icmp_sum,
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@ -553,6 +553,8 @@ ip_ts_opts_asan		ip_ts_opts_asan.pcap		ip_ts_opts_asan.out	-v
 isakmpv1-attr-oobr	isakmpv1-attr-oobr.pcap		isakmpv1-attr-oobr.out	-v
 isakmp-ikev1_n_print-oobr isakmp-ikev1_n_print-oobr.pcap isakmp-ikev1_n_print-oobr.out -v -c3
 ldp-ldp_tlv_print-oobr ldp-ldp_tlv_print-oobr.pcap ldp-ldp_tlv_print-oobr.out -v -c1
+icmp-icmp_print-oobr-1 icmp-icmp_print-oobr-1.pcap icmp-icmp_print-oobr-1.out -v -c3
+icmp-icmp_print-oobr-2 icmp-icmp_print-oobr-2.pcap icmp-icmp_print-oobr-2.out -v -c3
 # The .pcap file is truncated after the 1st packet.
 hncp_dhcpv6data-oobr	hncp_dhcpv6data-oobr.pcap	hncp_dhcpv6data-oobr.out -v -c1
 hncp_dhcpv4data-oobr	hncp_dhcpv4data-oobr.pcap	hncp_dhcpv4data-oobr.out -v -c1
--- a/tests/icmp-icmp_print-oobr-1.out
+++ b/tests/icmp-icmp_print-oobr-1.out
@ -0,0 +1,7 @@
+IP (tos 0x4, ttl 64, id 3584, offset 0, flags [none], proto ICMP (1), length 23, bad cksum a (->1e0f)!)
+    22.3.2.0 > 54.209.0.0: ICMP type-#49, length 3[|icmp]
+IP (tos 0x4, ttl 64, id 32512, offset 0, flags [none], proto VRRP (112), length 31, bad cksum 82 (->db96)!)
+    22.3.211.0 > 54.209.0.0: vrrp 22.3.211.0 > 54.209.0.0: VRRPv3, Advertisement, (ttl 64), vrid 128, prio 69[|vrrp]
+c0:05:ff:ff:40:9d > 00:0c:02:49:96:7e, ethertype Unknown (0xf1ff), length 65570: 
+	0x0000:  4404 0020 0e00 0000 4070 000a 1603 0200  D.......@p......
+	0x0010:  36d1 0000 3180 bc                        6...1..
--- a/tests/icmp-icmp_print-oobr-1.pcap
+++ b/tests/icmp-icmp_print-oobr-1.pcap
--- a/tests/icmp-icmp_print-oobr-2.out
+++ b/tests/icmp-icmp_print-oobr-2.out
@ -0,0 +1,5 @@
+IP truncated-ip - 39 bytes missing! (tos 0x7f,CE, ttl 254, id 40208, offset 0, flags [none], proto VRRP (112), length 68, options (unknown 69 [bad length 83]), bad cksum 9b15 (->b774)!)
+    250.219.91.20 > 209.150.251.64: vrrp 250.219.91.20 > 209.150.251.64: VRRPv2, Advertisement, (ttl 254)[|vrrp]
+[|fr]
+IP (tos 0x7f,CE, ttl 254, id 40208, offset 0, flags [none], proto ICMP (1), length 30, options (unknown 201 [bad length 255]), bad cksum 101 (->6470)!)
+    1.241.1.250 > 219.91.15.170: ICMP type-#255, length 2[|icmp]
--- a/tests/icmp-icmp_print-oobr-2.pcap
+++ b/tests/icmp-icmp_print-oobr-2.pcap