diff options
author | Denis Ovsienko <denis@ovsienko.info> | 2017-08-07 22:43:20 +0100 |
---|---|---|
committer | Denis Ovsienko <denis@ovsienko.info> | 2017-09-13 12:25:44 +0100 |
commit | 289c672020280529fd382f3502efab7100d638ec (patch) | |
tree | 9b21e2d82e45e547847989b40c46fd4c59e27af8 /tests/rsvp_uni-oobr-3.out | |
parent | 331530a4076c69bbd2e3214db6ccbe834fb75640 (diff) | |
download | tcpdump-289c672020280529fd382f3502efab7100d638ec.tar.gz |
CVE-2017-13051/RSVP: fix bounds checks for UNI
Fixup the part of rsvp_obj_print() that decodes the GENERALIZED_UNI
object from RFC 3476 Section 3.1 to check the sub-objects inside that
object more thoroughly.
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.
Add a test using the capture file supplied by the reporter(s).
Diffstat (limited to 'tests/rsvp_uni-oobr-3.out')
-rw-r--r-- | tests/rsvp_uni-oobr-3.out | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/tests/rsvp_uni-oobr-3.out b/tests/rsvp_uni-oobr-3.out new file mode 100644 index 00000000..3afa86e7 --- /dev/null +++ b/tests/rsvp_uni-oobr-3.out @@ -0,0 +1,12 @@ +IP (tos 0x0, ttl 48, id 25615, offset 0, flags [+, DF, rsvd], proto UDP (17), length 61735, bad cksum 8ef1 (->10e1)!) + 1.2.3.3.1812 > 64.112.0.96.4567: wb-29! +IP (tos 0x2,ECT(0), ttl 248, id 0, offset 0, flags [none], proto RSVP (46), length 54312, bad cksum 3701 (->8972)!) + 54.35.0.0 > 47.16.0.0: + RSVPv1 Hello Message (20), Flags: [Refresh reduction capable], length: 65527, ttl: 15, checksum: 0x0902 + Generalized UNI Object (229) Flags: [ignore and forward if unknown], Class-Type: 1 (1), length: 12 + Subobject Type: Unknown (0), AF: HDLC (4), length: 1 (invalid) +IP (tos 0x2,ECT(0), ttl 248, id 0, offset 0, flags [none], proto RSVP (46), length 54312, bad cksum 3701 (->7e72)!) + 54.35.0.0 > 58.16.0.0: + RSVPv1 Hello Message (20), Flags: [Refresh reduction capable], length: 65527, ttl: 15, checksum: 0x0902 + Generalized UNI Object (229) Flags: [ignore and forward if unknown], Class-Type: 1 (1), length: 12 + Subobject Type: Unknown (225), AF: HDLC (4), length: 1 (invalid) |