CVE-2017-13020/VTP: Add some missing bounds checks.

This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s), modified so the capture file won't be rejected as an invalid capture.
2024-11-24 10:33:28 +08:00 · 2017-03-21 22:02:41 -07:00 · 2017-03-21 22:02:41 -07:00 · c5dd7bef5e
commit c5dd7bef5e
parent 4601c685e7
4 changed files with 9 additions and 0 deletions
--- a/print-vtp.c
+++ b/print-vtp.c
@ -223,6 +223,7 @@ vtp_print (netdissect_options *ndo,
 	 *
 	 */

+	ND_TCHECK_32BITS(tptr);
 	ND_PRINT((ndo, ", Config Rev %x", EXTRACT_32BITS(tptr)));

 	/*
@ -243,6 +244,7 @@ vtp_print (netdissect_options *ndo,
 	tptr += 4;
 	while (tptr < (pptr+length)) {

+	    ND_TCHECK_8BITS(tptr);
 	    len = *tptr;
 	    if (len == 0)
 		break;
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@ -521,6 +521,7 @@ esis_snpa_asan-5	esis_snpa_asan-5.pcap		esis_snpa_asan-5.out	-v
 dhcp6_reconf_asan	dhcp6_reconf_asan.pcap		dhcp6_reconf_asan.out	-v
 pgm_opts_asan		pgm_opts_asan.pcap		pgm_opts_asan.out	-v
 pgm_opts_asan_2		pgm_opts_asan_2.pcap		pgm_opts_asan_2.out	-v
+vtp_asan		vtp_asan.pcap			vtp_asan.out	-v

 # RTP tests
 # fuzzed pcap
--- a/tests/vtp_asan.out
+++ b/tests/vtp_asan.out
@ -0,0 +1,6 @@
+FRF.16 Frag, seq 193, Flags [Begin, End], UI 08! VTPv69, Message Subset advertisement (0x02), length 2126400013
+	Domain name: , Seq number: 0[|vtp]
+[|mfr]
+[|mfr]
+[|mfr]
+[|mfr]
--- a/tests/vtp_asan.pcap
+++ b/tests/vtp_asan.pcap