tcpdump/tests/kday6.out
Guy Harris b20e1639db CVE-2017-13026/IS-IS: Clean up processing of subTLVs.
Add bounds checks, do a common check to make sure we captured the entire
subTLV, add checks to make sure the subTLV fits within the TLV.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add tests using the capture files supplied by the reporter(s), modified
so the capture files won't be rejected as an invalid capture.

Update existing tests for changes to IS-IS dissector.
2017-09-13 12:25:44 +01:00

351 lines
14 KiB
Plaintext

FRF.16 Frag, seq 693, Flags [Begin], UI e8! IS-IS, length 301989913
L1 LSP, hlen: 27, v: 1, pdu-v: 1, sys-id-len: 6 (0), max-area: 131 (131)
lsp-id: 8383.8383.834f.00-60, seq: 0x06418fcc, lifetime: 33667s
chksum: 0x0900 (unverified), PDU length: 33667, Flags: [ Overload bit set, expense ATT bit set, L1 IS ]
Multi-Topology Capability TLV #144, length: 137
O: 0, RES: 4, MTID(s): 3945
unknown subTLV #8, length: 233
[|isis]
unknown TLV #213, length: 243
0x0000: 5cca 8010 0410 0594 4510 0410 6e55 0000
0x0010: 0101 080a 8cf3 ac2b 269c 0e2d 0e0e 0e0e
0x0020: 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e
0x0030: 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e
0x0040: 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e
0x0050: 0e0e 0e0e 0e0e 0e0e 0e1b 0100 1201 8383
0x0060: 8383 8383 8383 8383 834f 0060 0641 8fcc
0x0070: 0900 2590 894f 6908 e912 0025 e489 4f0e
0x0080: 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e
0x0090: 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e
0x00a0: 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e
0x00b0: 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e
0x00c0: 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e
0x00d0: 7f0e 0e0e 0e0e 0e0e 0e0e 0e0e 0c0e 0e0e
0x00e0: 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e
0x00f0: 0e0e 0e
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
unknown TLV #100, length: 14
0x0000: 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
unknown TLV #96, length: 183
0x0000: 0fbb 1627 4ce2 d5f3 5cca 8010 0410 0594
0x0010: 4510 0410 6e55 0000 0101 080a 8cf3 ac2b
0x0020: 269c 3ab9 a568 7354 404c 0c00 f702 0000
0x0030: f702 0000 84b5 9cbe 8cff ffff 0040 ff3e
0x0040: 88cc 0910 0410 0594 0000 0101 080a 269c
0x0050: 318b 8cf3 ac0e 0e0e 0e0e 0e0e 0e0e 0e0e
0x0060: 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e
0x0070: 0e0e 0e0e 0004 0e0e 0e0e 0e0e 8e0e 0e0e
0x0080: 0e0e 0e0e 0e0b 0e0e 0e0e 0e0e 0e0e 0e0e
0x0090: 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e
0x00a0: 0e00 3e20 0a00 b60d 0000 2000 0000 84b5
0x00b0: aee0 3083 8383 1b
Area address(es) TLV #1, length: 0
unknown TLV #18, length: 1
0x0000: 83
Inter-Domain Information Type TLV #131, length: 131
Inter-Domain Information Type: Unknown (0x83)
0x0000: 8383 8383 8383 834f 0060 0641 8fcc 0900
0x0010: 2590 894f 6908 e912 0025 9089 4f69 0800
0x0020: 4500 0034 9040 4001 4006 a516 cc09 370a
0x0030: ccff ffff 7fbb da80 d5f3 5c05 1614 4a2d
0x0040: 8010 0410 6e55 0000 0101 080a 8cf3 ac2b
0x0050: 269c 30b9 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e
0x0060: 0e08 0e0e 0e0e 0e01 0e0e 0e0e 0e0e 110e
0x0070: 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e
0x0080: 0e0e
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
unknown TLV #172, length: 198
0x0000: 2478 f620 70ac 2561 8ae3 3458 2d7a 4ea0
0x0010: d056 a568 7354 180e 0e0e 0e0e 0e0e 0e0e
0x0020: 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e
0x0030: 0e0d f20e 0e0e 0e0e 0e0e 0e0e 0e04 0e0e
0x0040: 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e
0x0050: 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e
0x0060: 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e
0x0070: 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e49 0e0e
0x0080: 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0d
0x0090: f20e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e
0x00a0: 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e
0x00b0: 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e
0x00c0: 0e0e 0e0e 0e0e
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3612
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
LSP Buffersize TLV #14, length: 5
LSP Buffersize: 3598
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3676
unknown TLV #92, length: 92
0x0000: 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c
0x0010: 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c
0x0020: 5c44 4444 4444 4444 4444 4444 4444 4444
0x0030: 44b7 b7b7 b7b7 b7b7 b7b7 b7b7 b7b7 b7b7
0x0040: b7b7 b7b7 b7b7 b7b7 b7b7 b7b7 b7b7 b7b7
0x0050: b7b7 b7b7 b7b7 b7b7 b7b7 b7b7
unknown TLV #183, length: 183
0x0000: b7b7 b7b7 b7b7 b7b7 b7b7 b7b7 b7b7 b7b7
0x0010: b7b7 b7b7 b7b7 b7b7 b7b7 b7b7 b7b7 b7b7
0x0020: b7b7 b7b7 b7b7 b7b7 b7b7 b7b7 b7b7 b7b7
0x0030: b7b7 b7b7 b7b7 b7b7 b7b7 b7b7 b7b7 b7b7
0x0040: b7b7 b7b7 b7b7 b7b7 b7b7 b7b7 b7b7 b7b7
0x0050: b7b7 b7b7 b7b7 b7b7 b7b7 b7b7 b7b7 b7b7
0x0060: b7b7 b7b7 b7b7 b7b7 b7b7 b7b7 b7b7 b7b7
0x0070: b7b7 b7b7 b7b7 b7b7 b7b7 b7b7 b7b7 b7b7
0x0080: b7b7 b7b7 b7b7 b7b7 b7b7 b7b7 b7b7 b7b7
0x0090: b7b7 b7b7 b7b7 b7b7 b7b7 b7b7 b7b7 b7b7
0x00a0: b7b7 b7b7 b7b7 b7b7 b7b7 b7b7 b7b7 b7b7
0x00b0: b7b7 b7b7 b7b7 b7
unknown TLV #183, length: 183
0x0000: b7b7 b7b7 b7b7 b7b7 b7c0 b7b7 b7b7 b7b7
0x0010: b7b7 b7b7 b7b7 b7b7 b7b7 b7b7 b7b7 b7b7
0x0020: b7b7 b7b7 b7b7 b7b7 b7b7 b7b7 b7b7 b7b7
0x0030: b7b7 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c
0x0040: 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c
0x0050: 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c
0x0060: 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c
0x0070: 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c
0x0080: 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c
0x0090: 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c
0x00a0: 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c
0x00b0: 5c5c 5c5c 5c5c 5c
unknown TLV #92, length: 92
0x0000: 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c
0x0010: 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c
0x0020: 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c
0x0030: 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c
0x0040: 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c
0x0050: 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c
unknown TLV #92, length: 92
0x0000: 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c
0x0010: 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c
0x0020: 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c
0x0030: 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c
0x0040: 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c
0x0050: 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c
unknown TLV #92, length: 92
0x0000: 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c
0x0010: 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c
0x0020: 5c5c 715c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c
0x0030: 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c
0x0040: 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c
0x0050: 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c
unknown TLV #92, length: 92
0x0000: 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c
0x0010: 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c
0x0020: 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c
0x0030: 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c
0x0040: 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c
0x0050: 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c
unknown TLV #92, length: 92
0x0000: 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c
0x0010: 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c
0x0020: 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c 5c5c
0x0030: 5c5c 5c5c 5c5c 5c5c 5c10 0594 4510 0410
0x0040: 6e55 0000 0101 080a 8cf3 ac2b 269c 3ab9
0x0050: a568 7354 404c 0c00 f702 0000
unknown TLV #247, length: 2
0x0000: 0000
IPv4 Interface address(es) TLV #132, length: 181
IPv4 interface address: 156.190.140.255
IPv4 interface address: 255.14.14.14
IPv4 interface address: 14.14.14.14
IPv4 interface address: 14.14.14.14
IPv4 interface address: 14.14.14.14
IPv4 interface address: 14.14.14.14
IPv4 interface address: 14.14.14.14
IPv4 interface address: 14.14.14.14
IPv4 interface address: 14.14.14.14
IPv4 interface address: 14.14.14.14
IPv4 interface address: 14.14.14.14
IPv4 interface address: 14.14.14.14
IPv4 interface address: 14.14.14.14
IPv4 interface address: 14.14.14.14
IPv4 interface address: 14.14.14.14
IPv4 interface address: 14.14.14.14
IPv4 interface address: 14.14.14.14
IPv4 interface address: 14.14.14.14
IPv4 interface address: 14.14.14.14
IPv4 interface address: 14.14.14.14
IPv4 interface address: 14.14.14.14
IPv4 interface address: 14.14.14.14
IPv4 interface address: 14.14.14.14
IPv4 interface address: 14.14.14.14
IPv4 interface address: 14.14.14.14
IPv4 interface address: 14.14.14.14
IPv4 interface address: 14.14.14.14
IPv4 interface address: 14.14.14.14
IPv4 interface address: 14.14.14.14
IPv4 interface address: 14.14.14.14
IPv4 interface address: 14.14.14.14
IPv4 interface address: 14.14.28.14
IPv4 interface address: 28.14.21.14
IPv4 interface address: 14.14.14.130
IPv4 interface address: 89.186.4.171
IPv4 interface address: 23.3.1.0
IPv4 interface address: 32.144.252.48
IPv4 interface address: 165.128.255.255
IPv4 interface address: 255.246.232.117
IPv4 interface address: 154.157.104.136
IPv4 interface address: 118.103.188.123
IPv4 interface address: 181.119.205.109
IPv4 interface address: 60.22.90.116
IPv4 interface address: 80.127.192.14
IPv4 interface address: 156.165.230.105
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 61197
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
LSP Buffersize TLV #14, length: 13
LSP Buffersize: 244
unknown TLV #255, length: 0
unknown TLV #64, length: 6
0x0000: 3e88 cc09 3650
unknown TLV #204, length: 9
0x0000: 370a da80 01bb 0404 04
unknown TLV #11, length: 4
0x0000: 2104 0404
Partition DIS TLV #4, length: 4
Partition DIS TLV #4, length: 4
Partition DIS TLV #4, length: 4
Partition DIS TLV #4, length: 4
Partition DIS TLV #4, length: 4
Partition DIS TLV #4, length: 4
Partition DIS TLV #4, length: 4
unknown TLV #234, length: 4
0x0000: 0404 0404
Partition DIS TLV #4, length: 4
Partition DIS TLV #4, length: 4
Partition DIS TLV #4, length: 4
Partition DIS TLV #4, length: 4
Partition DIS TLV #4, length: 4
unknown TLV #0, length: 0
Partition DIS TLV #4, length: 4
Partition DIS TLV #4, length: 4
Partition DIS TLV #4, length: 4
Partition DIS TLV #4, length: 5
Purge Originator Identifier TLV #13, length: 178
Purge Originator System-ID: e4f9.cb0c.e2cd
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
Partition DIS TLV #4, length: 4
Partition DIS TLV #4, length: 4
Partition DIS TLV #4, length: 4
Partition DIS TLV #4, length: 4
Partition DIS TLV #4, length: 4
Partition DIS TLV #4, length: 4
Partition DIS TLV #4, length: 4
Partition DIS TLV #4, length: 4
unknown TLV #0, length: 13
0x0000: b2c4 e4f9 cb0c e2cd 2e17 5a0b f3
unknown TLV #180, length: 146
0x0000: 01fa 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e
0x0010: 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e
0x0020: 0e0e 0e28 0e0e 0e0e 0e0e fb0d 0e0e 0e0e
0x0030: 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e
0x0040: 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e
0x0050: 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e
0x0060: 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e
0x0070: 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e
0x0080: 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e 0e0e
0x0090: 0e0e
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
IPv4 Internal Reachability TLV #128, length: 0
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
LSP Buffersize TLV #14, length: 14
LSP Buffersize: 3598
unknown TLV #58, length: 58
0x0000: 3a3a 3a3a 3a3a 3a3a 3a3a 3a3a 3a3a 3a3a
0x0010: 3a3a 3a [|isis]
EXIT CODE 00000100