diff options
author | Guy Harris <guy@alum.mit.edu> | 2017-03-16 12:02:20 -0700 |
---|---|---|
committer | Denis Ovsienko <denis@ovsienko.info> | 2017-09-13 12:25:44 +0100 |
commit | 985122081165753c7442bd7824c473eb9ff56308 (patch) | |
tree | 5ba5bf7f9d42e871928e4f33174d548e9771d270 /print-eap.c | |
parent | cc356512f512e7fa423b3674db4bb31dbe40ffec (diff) | |
download | tcpdump-985122081165753c7442bd7824c473eb9ff56308.tar.gz |
CVE-2017-13015/EAP: Add more bounds checks.
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.
Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
Diffstat (limited to 'print-eap.c')
-rw-r--r-- | print-eap.c | 18 |
1 files changed, 14 insertions, 4 deletions
diff --git a/print-eap.c b/print-eap.c index 125e1ee1..d76aea33 100644 --- a/print-eap.c +++ b/print-eap.c @@ -182,7 +182,9 @@ eap_print(netdissect_options *ndo, switch (eap->type) { case EAP_FRAME_TYPE_PACKET: + ND_TCHECK_8BITS(tptr); type = *(tptr); + ND_TCHECK_16BITS(tptr+2); len = EXTRACT_16BITS(tptr+2); ND_PRINT((ndo, ", %s (%u), id %u, len %u", tok2str(eap_code_values, "unknown", type), @@ -193,10 +195,11 @@ eap_print(netdissect_options *ndo, ND_TCHECK2(*tptr, len); if (type <= 2) { /* For EAP_REQUEST and EAP_RESPONSE only */ + ND_TCHECK_8BITS(tptr+4); subtype = *(tptr+4); ND_PRINT((ndo, "\n\t\t Type %s (%u)", - tok2str(eap_type_values, "unknown", *(tptr+4)), - *(tptr + 4))); + tok2str(eap_type_values, "unknown", subtype), + subtype)); switch (subtype) { case EAP_TYPE_IDENTITY: @@ -222,6 +225,7 @@ eap_print(netdissect_options *ndo, * type one octet per type */ while (count < len) { + ND_TCHECK_8BITS(tptr+count); ND_PRINT((ndo, " %s (%u),", tok2str(eap_type_values, "unknown", *(tptr+count)), *(tptr + count))); @@ -230,19 +234,23 @@ eap_print(netdissect_options *ndo, break; case EAP_TYPE_TTLS: - ND_PRINT((ndo, " TTLSv%u", - EAP_TTLS_VERSION(*(tptr + 5)))); /* fall through */ case EAP_TYPE_TLS: + ND_TCHECK_8BITS(tptr + 5); + if (subtype == EAP_TYPE_TTLS) + ND_PRINT((ndo, " TTLSv%u", + EAP_TTLS_VERSION(*(tptr + 5)))); ND_PRINT((ndo, " flags [%s] 0x%02x,", bittok2str(eap_tls_flags_values, "none", *(tptr+5)), *(tptr + 5))); if (EAP_TLS_EXTRACT_BIT_L(*(tptr+5))) { + ND_TCHECK_32BITS(tptr + 6); ND_PRINT((ndo, " len %u", EXTRACT_32BITS(tptr + 6))); } break; case EAP_TYPE_FAST: + ND_TCHECK_8BITS(tptr + 5); ND_PRINT((ndo, " FASTv%u", EAP_TTLS_VERSION(*(tptr + 5)))); ND_PRINT((ndo, " flags [%s] 0x%02x,", @@ -250,6 +258,7 @@ eap_print(netdissect_options *ndo, *(tptr + 5))); if (EAP_TLS_EXTRACT_BIT_L(*(tptr+5))) { + ND_TCHECK_32BITS(tptr + 6); ND_PRINT((ndo, " len %u", EXTRACT_32BITS(tptr + 6))); } @@ -258,6 +267,7 @@ eap_print(netdissect_options *ndo, case EAP_TYPE_AKA: case EAP_TYPE_SIM: + ND_TCHECK_8BITS(tptr + 5); ND_PRINT((ndo, " subtype [%s] 0x%02x,", tok2str(eap_aka_subtype_values, "unknown", *(tptr+5)), *(tptr + 5))); |