diff options
| author | Guy Harris <guy@alum.mit.edu> | 2017-08-23 19:26:37 -0700 |
|---|---|---|
| committer | Denis Ovsienko <denis@ovsienko.info> | 2017-09-13 12:25:44 +0100 |
| commit | 0cb1b8a434b599b8d636db029aadb757c24e39d6 (patch) | |
| tree | 6d07ec8eda5132fb0834f858ca77a1dfe8a4f90d /print-olsr.c | |
| parent | 26b956739a77641634964e90aa765884daef0d0f (diff) | |
| download | tcpdump-0cb1b8a434b599b8d636db029aadb757c24e39d6.tar.gz | |
CVE-2017-13688/OLSR: Do bounds checks before we fetch data.
While we're at it, clean up some other bounds checks, so we check that
we have a complete IPv4 message header if it's IPv4 and a complete IPv6
message header if it's IPv6.
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.
Add tests using the capture files supplied by the reporter(s).
Diffstat (limited to 'print-olsr.c')
| -rw-r--r-- | print-olsr.c | 21 |
1 files changed, 12 insertions, 9 deletions
diff --git a/print-olsr.c b/print-olsr.c index 05e74bb8..e67988df 100644 --- a/print-olsr.c +++ b/print-olsr.c @@ -359,10 +359,9 @@ olsr_print(netdissect_options *ndo, } msgptr; int msg_len_valid = 0; - ND_TCHECK2(*tptr, sizeof(struct olsr_msg4)); - if (is_ipv6) { + ND_TCHECK2(*tptr, sizeof(struct olsr_msg6)); msgptr.v6 = (const struct olsr_msg6 *) tptr; msg_type = msgptr.v6->msg_type; msg_len = EXTRACT_16BITS(msgptr.v6->msg_len); @@ -393,6 +392,7 @@ olsr_print(netdissect_options *ndo, } else /* (!is_ipv6) */ { + ND_TCHECK2(*tptr, sizeof(struct olsr_msg4)); msgptr.v4 = (const struct olsr_msg4 *) tptr; msg_type = msgptr.v4->msg_type; msg_len = EXTRACT_16BITS(msgptr.v4->msg_len); @@ -616,22 +616,25 @@ olsr_print(netdissect_options *ndo, case OLSR_NAMESERVICE_MSG: { - u_int name_entries = EXTRACT_16BITS(msg_data+2); - u_int addr_size = 4; - int name_entries_valid = 0; + u_int name_entries; + u_int addr_size; + int name_entries_valid; u_int i; + if (msg_tlen < 4) + goto trunc; + ND_TCHECK2(*msg_data, 4); + + name_entries = EXTRACT_16BITS(msg_data+2); + addr_size = 4; if (is_ipv6) addr_size = 16; + name_entries_valid = 0; if ((name_entries > 0) && ((name_entries * (4 + addr_size)) <= msg_tlen)) name_entries_valid = 1; - if (msg_tlen < 4) - goto trunc; - ND_TCHECK2(*msg_data, 4); - ND_PRINT((ndo, "\n\t Version %u, Entries %u%s", EXTRACT_16BITS(msg_data), name_entries, (name_entries_valid == 0) ? " (invalid)" : "")); |