diff options
author | Denis Ovsienko <denis@ovsienko.info> | 2017-01-12 10:09:34 +0000 |
---|---|---|
committer | Francois-Xavier Le Bail <fx.lebail@yahoo.com> | 2017-01-18 09:16:41 +0100 |
commit | c39c1d99ac3b6d5d9519b39da6717180651650d3 (patch) | |
tree | 9a68359cfb9c57c3b8c7f28c76c82fc9178a26ab | |
parent | 857ec6e800ec772f5a6b9f76268d189d70f000b6 (diff) | |
download | tcpdump-c39c1d99ac3b6d5d9519b39da6717180651650d3.tar.gz |
CVE-2017-5482/Q.933: add a missing bounds check
Brian Carpenter had found that regardless of CVE-2016-8575 q933_print()
still could overread the buffer trying to parse a short packet. This
change fixes the problem.
-rw-r--r-- | print-fr.c | 1 | ||||
-rw-r--r-- | tests/TESTLIST | 1 | ||||
-rw-r--r-- | tests/q933-heapoverflow-2.out | 24 | ||||
-rw-r--r-- | tests/q933-heapoverflow-2.pcap | bin | 0 -> 1483 bytes |
4 files changed, 26 insertions, 0 deletions
@@ -906,6 +906,7 @@ q933_print(netdissect_options *ndo, ND_PRINT((ndo, "%s, codeset %u", is_ansi ? "ANSI" : "CCITT", codeset)); if (call_ref_length != 0) { + ND_TCHECK(p[0]); if (call_ref_length > 1 || p[0] != 0) { /* * Not a dummy call reference. diff --git a/tests/TESTLIST b/tests/TESTLIST index 5046046c..91c3b8a7 100644 --- a/tests/TESTLIST +++ b/tests/TESTLIST @@ -424,6 +424,7 @@ ipv6hdr-heapoverflow ipv6hdr-heapoverflow.pcap ipv6hdr-heapoverflow.out -t ipv6hdr-heapoverflow-v ipv6hdr-heapoverflow.pcap ipv6hdr-heapoverflow-v.out -t -v otv-heapoverflow-1 otv-heapoverflow-1.pcap otv-heapoverflow-1.out -t -c10 otv-heapoverflow-2 otv-heapoverflow-2.pcap otv-heapoverflow-2.out -t -c10 +q933-heapoverflow-2 q933-heapoverflow-2.pcap q933-heapoverflow-2.out -t # RTP tests # fuzzed pcap diff --git a/tests/q933-heapoverflow-2.out b/tests/q933-heapoverflow-2.out new file mode 100644 index 00000000..1a40c731 --- /dev/null +++ b/tests/q933-heapoverflow-2.out @@ -0,0 +1,24 @@ +Q.922, invalid address +UI 00! Q.922, hdr-len 4, DLCI 5769024, Flags [none], NLPID unknown (0x11), length 41: + 0x0000: 886b 68 .kh +Q.922, invalid address +UI 00! Q.922, hdr-len 4, DLCI 5769024, Flags [none], NLPID unknown (0x14), length 160: + 0x0000: a530 b0 .0. +Q.922, invalid address +UI 00! Q.922, hdr-len 4, DLCI 5801792, Flags [none], NLPID unknown (0x11), length 179: + 0x0000: 886b 68 .kh +Q.922, invalid address +UI 00! Q.922, hdr-len 4, DLCI 5769024, Flags [none], NLPID unknown (0x14), length 30: + 0x0000: a530 b0 .0. +Q.922, invalid address +UI 00! Q.922, hdr-len 4, DLCI 1856, Flags [none], NLPID unknown (0x11), length 85: + 0x0000: 886b 68 .kh +Q.922, invalid address +Q.922, invalid address +UI 00! Q.922, hdr-len 4, DLCI 526144, Flags [none], NLPID unknown (0x14), length 46: + 0x0000: a530 b0 .0. +Q.922, invalid address +UI 2c! Pad! Q.922, hdr-len 2, DLCI 288, Flags [none], NLPID NULL (0x00), length 24: + 0x0000: 1188 6b68 ..kh +Q.922, invalid address +UI 2c! Pad! Q.933, CCITT, codeset 0[|q.933] diff --git a/tests/q933-heapoverflow-2.pcap b/tests/q933-heapoverflow-2.pcap Binary files differnew file mode 100644 index 00000000..c38c7b6f --- /dev/null +++ b/tests/q933-heapoverflow-2.pcap |