diff options
| author | Guy Harris <guy@alum.mit.edu> | 2017-02-10 19:52:29 -0800 |
|---|---|---|
| committer | Denis Ovsienko <denis@ovsienko.info> | 2017-09-13 12:25:44 +0100 |
| commit | 777edc563aacdaff66a0b829cecd2ccb09a10404 (patch) | |
| tree | 55b97475efe571a2df07188cd12f3db39d9f8454 /tests/hoobr_lookup_nsap.out | |
| parent | 3a76fd7c95fced2c2f8c8148a9055c3a542eff29 (diff) | |
| download | tcpdump-777edc563aacdaff66a0b829cecd2ccb09a10404.tar.gz | |
Further fix the fix to CVE-2017-5485.
1) Take the length of the NSAP into account. Otherwise, if, in our
search of the hash table, we come across a byte string that's shorter
than the string we're looking for, we'll search past the end of the
string in the hash table.
2) The first byte of the byte string in the table is the length of the
NSAP, with the byte *after* that being the first byte of the NSAP, but
the first byte of the byte string passed into lookup_nsap() is the first
byte of the NSAP, with the length passed in as a separate argument. Do
the comparison correctly.
This fixes a vulnerability discovered by Kamil Frankowicz.
Add a test using the capture file supplied by the reporter(s).
While we're at it, clean up the fix to lookup_bytestring():
1) Get rid of an unused structure member and an unused #define.
2) Get rid of an incorrect "+ 1" when calculating the size of the byte
array to allocate - that was left over from the NSAP table, where the
length was guaranteed to fit in 1 byte and we used the first byte of the
array to hold the length of the rest of the array.
Diffstat (limited to 'tests/hoobr_lookup_nsap.out')
| -rw-r--r-- | tests/hoobr_lookup_nsap.out | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/tests/hoobr_lookup_nsap.out b/tests/hoobr_lookup_nsap.out new file mode 100644 index 00000000..7d8613b0 --- /dev/null +++ b/tests/hoobr_lookup_nsap.out @@ -0,0 +1,23 @@ +30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: + 0x0000: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000 + 0x0010: 3030 3030 3030 000000 +30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: + 0x0000: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000 + 0x0010: 3030 3030 3030 000000 +30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: + 0x0000: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000 + 0x0010: 3030 3030 3030 000000 +30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: + 0x0000: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000 + 0x0010: 3030 3030 3030 000000 +30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: + 0x0000: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000 + 0x0010: 3030 3030 3030 000000 +30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: + 0x0000: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000 + 0x0010: 3030 3030 3030 000000 +CLNP, 30.0000.0000.0000 > 30.3030, unknown (16), length 808464417 +30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: + 0x0000: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000 + 0x0010: 3030 3030 3030 000000 +CLNP, 30.0000.0000.0000 > 30.3030, unknown (16), length 808464417 |