CVE-2017-13050/RPKI-Router: fix a few bugs

The decoder didn't properly check that the PDU length stored in the PDU
header is correct. The only check in place was in rpki_rtr_print() and it
tested whether the length is zero but that is not sufficient. Make all
necessary length and bounds checks, both generic and type-specific, in
rpki_rtr_pdu_print() and reduce rpki_rtr_print() to a simple loop.

This also fixes a minor bug and PDU type 0 (Serial Notify from RFC 6810
Section 5.2) is valid again.

In rpki_rtr_pdu_print() any protocol version was considered version 0,
fix it to skip the rest of input if the PDU protocol version is unknown.

Ibid, the PDU type 10 (Error Report from RFC 6810 Section 5.10) case
block didn't consider the "Length of Error Text" data element mandatory,
put it right.

Ibid, when printing an encapsulated PDU, give itself (via recursion)
respective buffer length to make it possible to tell whether the
encapsulated PDU fits. Do not recurse deeper than 2nd level.

Update prior RPKI-Router test cases that now stop to decode earlier
because of the stricter checks.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s).

1 files changed, 103 insertions, 66 deletions

diff --git a/print-rpki-rtr.c b/print-rpki-rtr.c
index 6cc592eb..8e4c73f1 100644
--- a/print-rpki-rtr.c
+++ b/print-rpki-rtr.c
@@ -82,6 +82,9 @@ typedef struct rpki_rtr_pdu_ipv6_prefix_ {
 typedef struct rpki_rtr_pdu_error_report_ {
     rpki_rtr_pdu pdu_header;
     u_char encapsulated_pdu_length[4]; /* Encapsulated PDU length */
+    /* Copy of Erroneous PDU (variable, optional) */
+    /* Length of Error Text (4 octets in network byte order) */
+    /* Arbitrary Text of Error Diagnostic Message (variable, optional) */
 } rpki_rtr_pdu_error_report;
 
 /*
@@ -171,17 +174,38 @@ indent_string (u_int indent)
 /*
  * Print a single PDU.
  */
-static int
-rpki_rtr_pdu_print (netdissect_options *ndo, const u_char *tptr, u_int indent)
+static u_int
+rpki_rtr_pdu_print (netdissect_options *ndo, const u_char *tptr, const u_int len,
+	const u_char recurse, const u_int indent)
 {
     const rpki_rtr_pdu *pdu_header;
     u_int pdu_type, pdu_len, hexdump;
     const u_char *msg;
 
+    /* Protocol Version */
+    ND_TCHECK_8BITS(tptr);
+    if (*tptr != 0) {
+	/* Skip the rest of the input buffer because even if this is
+	 * a well-formed PDU of a future RPKI-Router protocol version
+	 * followed by a well-formed PDU of RPKI-Router protocol
+	 * version 0, there is no way to know exactly how to skip the
+	 * current PDU.
+	 */
+	ND_PRINT((ndo, "%sRPKI-RTRv%u (unknown)", indent_string(8), *tptr));
+	return len;
+    }
+    if (len < sizeof(rpki_rtr_pdu)) {
+	ND_PRINT((ndo, "(%u bytes is too few to decode)", len));
+	goto invalid;
+    }
+    ND_TCHECK2(*tptr, sizeof(rpki_rtr_pdu));
     pdu_header = (const rpki_rtr_pdu *)tptr;
     pdu_type = pdu_header->pdu_type;
     pdu_len = EXTRACT_32BITS(pdu_header->length);
-    ND_TCHECK2(*tptr, pdu_len);
+    /* Do not check bounds with pdu_len yet, do it in the case blocks
+     * below to make it possible to decode at least the beginning of
+     * a truncated Error Report PDU or a truncated encapsulated PDU.
+     */
     hexdump = FALSE;
 
     ND_PRINT((ndo, "%sRPKI-RTRv%u, %s PDU (%u), length: %u",
@@ -189,6 +213,8 @@ rpki_rtr_pdu_print (netdissect_options *ndo, const u_char *tptr, u_int indent)
 	   pdu_header->version,
 	   tok2str(rpki_rtr_pdu_values, "Unknown", pdu_type),
 	   pdu_type, pdu_len));
+    if (pdu_len < sizeof(rpki_rtr_pdu) || pdu_len > len)
+	goto invalid;
 
     switch (pdu_type) {
 
@@ -198,6 +224,9 @@ rpki_rtr_pdu_print (netdissect_options *ndo, const u_char *tptr, u_int indent)
     case RPKI_RTR_SERIAL_NOTIFY_PDU:
     case RPKI_RTR_SERIAL_QUERY_PDU:
     case RPKI_RTR_END_OF_DATA_PDU:
+	if (pdu_len != sizeof(rpki_rtr_pdu) + 4)
+	    goto invalid;
+	ND_TCHECK2(*tptr, pdu_len);
         msg = (const u_char *)(pdu_header + 1);
 	ND_PRINT((ndo, "%sSession ID: 0x%04x, Serial: %u",
 	       indent_string(indent+2),
@@ -210,6 +239,9 @@ rpki_rtr_pdu_print (netdissect_options *ndo, const u_char *tptr, u_int indent)
 	 */
     case RPKI_RTR_RESET_QUERY_PDU:
     case RPKI_RTR_CACHE_RESET_PDU:
+	if (pdu_len != sizeof(rpki_rtr_pdu))
+	    goto invalid;
+	/* no additional boundary to check */
 
 	/*
 	 * Zero payload PDUs.
@@ -217,6 +249,9 @@ rpki_rtr_pdu_print (netdissect_options *ndo, const u_char *tptr, u_int indent)
 	break;
 
     case RPKI_RTR_CACHE_RESPONSE_PDU:
+	if (pdu_len != sizeof(rpki_rtr_pdu))
+	    goto invalid;
+	/* no additional boundary to check */
 	ND_PRINT((ndo, "%sSession ID: 0x%04x",
 	       indent_string(indent+2),
 	       EXTRACT_16BITS(pdu_header->u.session_id)));
@@ -226,6 +261,9 @@ rpki_rtr_pdu_print (netdissect_options *ndo, const u_char *tptr, u_int indent)
 	{
 	    const rpki_rtr_pdu_ipv4_prefix *pdu;
 
+	    if (pdu_len != sizeof(rpki_rtr_pdu) + 12)
+		goto invalid;
+	    ND_TCHECK2(*tptr, pdu_len);
 	    pdu = (const rpki_rtr_pdu_ipv4_prefix *)tptr;
 	    ND_PRINT((ndo, "%sIPv4 Prefix %s/%u-%u, origin-as %u, flags 0x%02x",
 		   indent_string(indent+2),
@@ -239,6 +277,9 @@ rpki_rtr_pdu_print (netdissect_options *ndo, const u_char *tptr, u_int indent)
 	{
 	    const rpki_rtr_pdu_ipv6_prefix *pdu;
 
+	    if (pdu_len != sizeof(rpki_rtr_pdu) + 24)
+		goto invalid;
+	    ND_TCHECK2(*tptr, pdu_len);
 	    pdu = (const rpki_rtr_pdu_ipv6_prefix *)tptr;
 	    ND_PRINT((ndo, "%sIPv6 Prefix %s/%u-%u, origin-as %u, flags 0x%02x",
 		   indent_string(indent+2),
@@ -253,10 +294,17 @@ rpki_rtr_pdu_print (netdissect_options *ndo, const u_char *tptr, u_int indent)
 	    const rpki_rtr_pdu_error_report *pdu;
 	    u_int encapsulated_pdu_length, text_length, tlen, error_code;
 
+	    tlen = sizeof(rpki_rtr_pdu);
+	    /* Do not test for the "Length of Error Text" data element yet. */
+	    if (pdu_len < tlen + 4)
+		goto invalid;
+	    ND_TCHECK2(*tptr, tlen + 4);
+	    /* Safe up to and including the "Length of Encapsulated PDU"
+	     * data element, more data elements may be present.
+	     */
 	    pdu = (const rpki_rtr_pdu_error_report *)tptr;
 	    encapsulated_pdu_length = EXTRACT_32BITS(pdu->encapsulated_pdu_length);
-	    ND_TCHECK2(*tptr, encapsulated_pdu_length);
-	    tlen = pdu_len;
+	    tlen += 4;
 
 	    error_code = EXTRACT_16BITS(pdu->pdu_header.u.error_code);
 	    ND_PRINT((ndo, "%sError code: %s (%u), Encapsulated PDU length: %u",
@@ -264,41 +312,58 @@ rpki_rtr_pdu_print (netdissect_options *ndo, const u_char *tptr, u_int indent)
 		   tok2str(rpki_rtr_error_codes, "Unknown", error_code),
 		   error_code, encapsulated_pdu_length));
 
-	    tptr += sizeof(*pdu);
-	    tlen -= sizeof(*pdu);
-
-	    /*
-	     * Recurse if there is an encapsulated PDU.
-	     */
-	    if (encapsulated_pdu_length &&
-		(encapsulated_pdu_length <= tlen)) {
-		ND_PRINT((ndo, "%s-----encapsulated PDU-----", indent_string(indent+4)));
-		if (rpki_rtr_pdu_print(ndo, tptr, indent+2))
-			goto trunc;
+	    if (encapsulated_pdu_length) {
+		/* Section 5.10 of RFC 6810 says:
+		 * "An Error Report PDU MUST NOT be sent for an Error Report PDU."
+		 *
+		 * However, as far as the protocol encoding goes Error Report PDUs can
+		 * happen to be nested in each other, however many times, in which case
+		 * the decoder should still print such semantically incorrect PDUs.
+		 *
+		 * That said, "the Erroneous PDU field MAY be truncated" (ibid), thus
+		 * to keep things simple this implementation decodes only the two
+		 * outermost layers of PDUs and makes bounds checks in the outer and
+		 * the inner PDU independently.
+		 */
+		if (pdu_len < tlen + encapsulated_pdu_length)
+		    goto invalid;
+		if (! recurse) {
+		    ND_TCHECK2(*tptr, tlen + encapsulated_pdu_length);
+		}
+		else {
+		    ND_PRINT((ndo, "%s-----encapsulated PDU-----", indent_string(indent+4)));
+		    rpki_rtr_pdu_print(ndo, tptr + tlen,
+			encapsulated_pdu_length, 0, indent + 2);
+		}
+		tlen += encapsulated_pdu_length;
 	    }
 
-	    tptr += encapsulated_pdu_length;
-	    tlen -= encapsulated_pdu_length;
+	    if (pdu_len < tlen + 4)
+		goto invalid;
+	    ND_TCHECK2(*tptr, tlen + 4);
+	    /* Safe up to and including the "Length of Error Text" data element,
+	     * one more data element may be present.
+	     */
 
 	    /*
 	     * Extract, trail-zero and print the Error message.
 	     */
-	    text_length = 0;
-	    if (tlen > 4) {
-		text_length = EXTRACT_32BITS(tptr);
-		tptr += 4;
-		tlen -= 4;
-	    }
-	    ND_TCHECK2(*tptr, text_length);
-	    if (text_length && (text_length <= tlen )) {
+	    text_length = EXTRACT_32BITS(tptr + tlen);
+	    tlen += 4;
+
+	    if (text_length) {
+		if (pdu_len < tlen + text_length)
+		    goto invalid;
+		/* fn_printn() makes the bounds check */
 		ND_PRINT((ndo, "%sError text: ", indent_string(indent+2)));
-		if (fn_printn(ndo, tptr, text_length, ndo->ndo_snapend))
+		if (fn_printn(ndo, tptr + tlen, text_length, ndo->ndo_snapend))
 			goto trunc;
 	    }
 	}
 	break;
 
     default:
+	ND_TCHECK2(*tptr, pdu_len);
 
 	/*
 	 * Unknown data, please hexdump.
@@ -310,57 +375,29 @@ rpki_rtr_pdu_print (netdissect_options *ndo, const u_char *tptr, u_int indent)
     if (ndo->ndo_vflag > 1 || (ndo->ndo_vflag && hexdump)) {
 	print_unknown_data(ndo,tptr,"\n\t  ", pdu_len);
     }
-    return 0;
+    return pdu_len;
 
+invalid:
+    ND_PRINT((ndo, "%s", istr));
+    ND_TCHECK2(*tptr, len);
+    return len;
 trunc:
-    return 1;
+    ND_PRINT((ndo, "\n\t%s", tstr));
+    return len;
 }
 
 void
 rpki_rtr_print(netdissect_options *ndo, register const u_char *pptr, register u_int len)
 {
-    u_int tlen, pdu_type, pdu_len;
-    const u_char *tptr;
-    const rpki_rtr_pdu *pdu_header;
-
-    tptr = pptr;
-    tlen = len;
-
     if (!ndo->ndo_vflag) {
 	ND_PRINT((ndo, ", RPKI-RTR"));
 	return;
     }
-
-    while (tlen >= sizeof(rpki_rtr_pdu)) {
-
-        ND_TCHECK2(*tptr, sizeof(rpki_rtr_pdu));
-
-	pdu_header = (const rpki_rtr_pdu *)tptr;
-        pdu_type = pdu_header->pdu_type;
-        pdu_len = EXTRACT_32BITS(pdu_header->length);
-        ND_TCHECK2(*tptr, pdu_len);
-
-        /* infinite loop check */
-        if (!pdu_type || !pdu_len) {
-            break;
-        }
-
-        if (tlen < pdu_len) {
-            goto trunc;
-        }
-
-	/*
-	 * Print the PDU.
-	 */
-	if (rpki_rtr_pdu_print(ndo, tptr, 8))
-		goto trunc;
-
-        tlen -= pdu_len;
-        tptr += pdu_len;
+    while (len) {
+	u_int pdu_len = rpki_rtr_pdu_print(ndo, pptr, len, 1, 8);
+	len -= pdu_len;
+	pptr += pdu_len;
     }
-    return;
-trunc:
-    ND_PRINT((ndo, "\n\t%s", tstr));
 }
 
 /*