Commit Graph

3 Commits

Author SHA1 Message Date
Francois-Xavier Le Bail
f253e11009 Add a sanity check on packet header length
The packet length must be <= MAXIMUM_SNAPLEN.

Currently, there is no D-Bus printer, thus no need for a bigger length.

Now a pachet is valid if:
capture length != 0,
packet length != 0,
capture length <= MAXIMUM_SNAPLEN,
packet length <= MAXIMUM_SNAPLEN,
packet length >= capture length.

Moreover:
Fix the packet header lengths of some fuzzed pcap files:
If the lengths are > MAXIMUM_SNAPLEN, set them to MAXIMUM_SNAPLEN.
Thus they will be always usable with this new sanity check.
2018-02-07 18:48:49 +01:00
David Cronin
c8544a787c tok2str-oobr-1: fixed issue where test reading a withdrawn routes of length 1 byte and then would truncate the content as 1 byte is not enough room for the prefix. Now the code will skip the withdrawn routes entirely if it is less then two bytes, which is the minimum needed. The code will no longer print 'Withdrawn Routes: 1 bytes', I feel this no longer makes sense.
bgp_mvpn_6_and_7 && bgp_pmsi_tunnel-oobr && bgp_vpn_rt-oobr: All contained illegal prefix lengths in the withdrawn routes section, ie > than 32 for ipv4, so I modified the .pcap files to have legal prefixs so that the BGP wasn't truncated and updated the withdrawn routes in the test.out
2017-11-12 13:01:56 +00:00
Denis Ovsienko
bd4e697ebd CVE-2017-13053/BGP: fix VPN route target bounds checks
decode_rt_routing_info() didn't check bounds before fetching 4 octets of
the origin AS field and could over-read the input buffer, put it right.

It also fetched the varying number of octets of the route target field
from 4 octets lower than the correct offset, put it right.

It also used the same temporary buffer explicitly through as_printf()
and implicitly through bgp_vpn_rd_print() so the end result of snprintf()
was not what was originally intended.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s).
2017-09-13 12:25:44 +01:00