mirrors/tcpdump
0
0
Fork 0
mirror of https://github.com/the-tcpdump-group/tcpdump.git synced 2024-11-30 21:44:49 +08:00
Code Issues Packages Projects Releases Wiki Activity
092ae6ddf7
tcpdump/tests/rsvp_fast_reroute-oobr.out
Denis Ovsienko 3c8a2b0e91 CVE-2017-13048/RSVP: fix decoding of Fast Reroute objects 
In rsvp_obj_print() the case block for Class-Num 205 (FAST_REROUTE) from
RFC 4090 Section 4.1 could over-read accessing the buffer contents before
making the bounds check. Rearrange those steps the correct way around.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s).
2017-09-13 12:25:44 +01:00

7 lines
469 B
Plaintext
Raw Blame History

IP (tos 0x0, ttl 224, id 17920, offset 0, flags [none], proto RSVP (46), length 42024, bad cksum 3700 (->fc41)!)
0.203.243.128 > 0.26.0.0:
RSVPv1 Path Message (1), Flags: [Refresh reduction capable], length: 41218, ttl: 227, checksum: 0x00f4
Fast Re-Route Object (205) Flags: [ignore and forward if unknown], Class-Type: Unknown (0), length: 4
Fast Re-Route Object (205) Flags: [ignore and forward if unknown], Class-Type: Unknown (0), length: 4
[|rsvp]
Reference in New Issue View Git Blame Copy Permalink