mirrors/tcpdump
0
0
Fork 0
mirror of https://github.com/the-tcpdump-group/tcpdump.git synced 2024-11-27 20:14:12 +08:00
Code Issues Packages Projects Releases Wiki Activity

(for 4.9.3) CVE-2018-14461/LDP: Fix a bounds check

Browse Source 
In ldp_tlv_print(), the FT Session TLV length must be 12, not 8 (RFC3479)

This fixes a buffer over-read discovered by Konrad Rieck and
Bhargava Shastry.

Add a test using the capture file supplied by the reporter(s).

Moreover:
Add and use tstr[].
Add a comment.
This commit is contained in:
Francois-Xavier Le Bail 2017-10-08 11:49:24 +02:00
parent 396e94ff55
commit aa5c6b710d
4 changed files with 13 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
print-ldp.c
View File

@ -29,6 +29,8 @@
#include "l2vpn.h"
#include "af.h"
static const char tstr[] = " [|LDP]";
/*
* ldp common header
*
@ -486,7 +488,7 @@ ldp_tlv_print(netdissect_options *ndo,
break;
case LDP_TLV_FT_SESSION:
TLV_TCHECK(8);
TLV_TCHECK(12);
ft_flags = EXTRACT_16BITS(tptr);
ND_PRINT((ndo, "\n\t Flags: [%sReconnect, %sSave State, %sAll-Label Protection, %s Checkpoint, %sRe-Learn State]",
ft_flags&0x8000 ? "" : "No ",
@ -494,6 +496,7 @@ ldp_tlv_print(netdissect_options *ndo,
ft_flags&0x4 ? "" : "No ",
ft_flags&0x2 ? "Sequence Numbered Label" : "All Labels",
ft_flags&0x1 ? "" : "Don't "));
/* 16 bits (FT Flags) + 16 bits (Reserved) */
tptr+=4;
ui = EXTRACT_32BITS(tptr);
if (ui)
@ -534,7 +537,7 @@ ldp_tlv_print(netdissect_options *ndo,
return(tlv_len+4); /* Type & Length fields not included */
trunc:
ND_PRINT((ndo, "\n\t\t packet exceeded snapshot"));
ND_PRINT((ndo, "%s", tstr));
return 0;
badtlv:
@ -692,7 +695,7 @@ ldp_pdu_print(netdissect_options *ndo,
}
return pdu_len+4;
trunc:
ND_PRINT((ndo, "\n\t\t packet exceeded snapshot"));
ND_PRINT((ndo, "%s", tstr));
return 0;
}

1
tests/TESTLIST
View File

@ -552,6 +552,7 @@ ospf6_decode_v3_asan ospf6_decode_v3_asan.pcap ospf6_decode_v3_asan.out -v
ip_ts_opts_asan ip_ts_opts_asan.pcap ip_ts_opts_asan.out -v
isakmpv1-attr-oobr isakmpv1-attr-oobr.pcap isakmpv1-attr-oobr.out -v
isakmp-ikev1_n_print-oobr isakmp-ikev1_n_print-oobr.pcap isakmp-ikev1_n_print-oobr.out -v -c3
ldp-ldp_tlv_print-oobr ldp-ldp_tlv_print-oobr.pcap ldp-ldp_tlv_print-oobr.out -v -c1
# The .pcap file is truncated after the 1st packet.
hncp_dhcpv6data-oobr hncp_dhcpv6data-oobr.pcap hncp_dhcpv6data-oobr.out -v -c1
hncp_dhcpv4data-oobr hncp_dhcpv4data-oobr.pcap hncp_dhcpv4data-oobr.out -v -c1

6
tests/ldp-ldp_tlv_print-oobr.out Normal file
View File

@ -0,0 +1,6 @@
IP (tos 0x0, id 4608, offset 0, flags [+, DF, rsvd], proto UDP (17), length 25600, options (EOL), bad cksum 8e (->4023)!)
24.250.219.0.4098 > 0.0.0.0.646:
LDP, Label-Space-ID: 0.0.127.255:796, pdu-length: 514
Address Withdraw Message (0x0301), length: 22, Message ID: 0x00001600, Flags: [ignore if unknown]
Unknown TLV (0x0404), length: 0, Flags: [ignore and don't forward if unknown]
Fault-Tolerant Session Parameters TLV (0x0503), length: 8, Flags: [ignore and don't forward if unknown] [|LDP] [|LDP]

BIN
tests/ldp-ldp_tlv_print-oobr.pcap Normal file
View File

Binary file not shown.