diff options
| -rw-r--r-- | print-mobility.c | 22 | ||||
| -rw-r--r-- | tests/TESTLIST | 14 | ||||
| -rw-r--r-- | tests/cve2015-0261-crash.out | 1 | ||||
| -rw-r--r-- | tests/cve2015-0261-crash.pcap | bin | 0 -> 201 bytes | |||
| -rw-r--r-- | tests/cve2015-0261-ipv6.out | 1 | ||||
| -rw-r--r-- | tests/cve2015-0261-ipv6.pcap | bin | 0 -> 682 bytes |
6 files changed, 37 insertions, 1 deletions
diff --git a/print-mobility.c b/print-mobility.c index 83447cff..b6fa61e9 100644 --- a/print-mobility.c +++ b/print-mobility.c @@ -69,6 +69,18 @@ struct ip6_mobility { #define IP6M_BINDING_UPDATE 5 /* Binding Update */ #define IP6M_BINDING_ACK 6 /* Binding Acknowledgement */ #define IP6M_BINDING_ERROR 7 /* Binding Error */ +#define IP6M_MAX 7 + +static const unsigned ip6m_hdrlen[IP6M_MAX + 1] = { + IP6M_MINLEN, /* IP6M_BINDING_REQUEST */ + IP6M_MINLEN + 8, /* IP6M_HOME_TEST_INIT */ + IP6M_MINLEN + 8, /* IP6M_CAREOF_TEST_INIT */ + IP6M_MINLEN + 16, /* IP6M_HOME_TEST */ + IP6M_MINLEN + 16, /* IP6M_CAREOF_TEST */ + IP6M_MINLEN + 4, /* IP6M_BINDING_UPDATE */ + IP6M_MINLEN + 4, /* IP6M_BINDING_ACK */ + IP6M_MINLEN + 16, /* IP6M_BINDING_ERROR */ +}; /* XXX: unused */ #define IP6MOPT_BU_MINLEN 10 @@ -95,16 +107,20 @@ mobility_opt_print(netdissect_options *ndo, unsigned i, optlen; for (i = 0; i < len; i += optlen) { + ND_TCHECK(bp[i]); if (bp[i] == IP6MOPT_PAD1) optlen = 1; else { - if (i + 1 < len) + if (i + 1 < len) { + ND_TCHECK(bp[i + 1]); optlen = bp[i + 1] + 2; + } else goto trunc; } if (i + optlen > len) goto trunc; + ND_TCHECK(bp[i + optlen]); switch (bp[i]) { case IP6MOPT_PAD1: @@ -203,6 +219,10 @@ mobility_print(netdissect_options *ndo, ND_TCHECK(mh->ip6m_type); type = mh->ip6m_type; + if (type <= IP6M_MAX && mhlen < ip6m_hdrlen[type]) { + ND_PRINT((ndo, "(header length %u is too small for type %u)", mhlen, type)); + goto trunc; + } switch (type) { case IP6M_BINDING_REQUEST: ND_PRINT((ndo, "mobility: BRR")); diff --git a/tests/TESTLIST b/tests/TESTLIST index 472468c5..788d532d 100644 --- a/tests/TESTLIST +++ b/tests/TESTLIST @@ -267,3 +267,17 @@ geneve-tcp geneve.pcap geneve-tcp.out -t "geneve && tcp" # DHCP tests dhcp-rfc3004 dhcp-rfc3004.pcap dhcp-rfc3004-v.out -t -v dhcp-rfc5859 dhcp-rfc5859.pcap dhcp-rfc5859-v.out -t -v + +# bad packets from Kevin Day +kday1 kday1.pcap kday1.out -t -v +kday2 kday2.pcap kday2.out -t -v +kday3 kday3.pcap kday3.out -t -v +kday4 kday4.pcap kday4.out -t -v +kday5 kday5.pcap kday5.out -t -v +kday6 kday6.pcap kday6.out -t -v +kday7 kday7.pcap kday7.out -t -v +kday8 kday8.pcap kday8.out -t -v + +# bad packets from reversex86. +cve2015-0261_01 cve2015-0261-ipv6.pcap cve2015-0261-ipv6.out -t -v +cve2015-0261_02 cve2015-0261-crash.pcap cve2015-0261-crash.out -t -v diff --git a/tests/cve2015-0261-crash.out b/tests/cve2015-0261-crash.out new file mode 100644 index 00000000..1946280c --- /dev/null +++ b/tests/cve2015-0261-crash.out @@ -0,0 +1 @@ +IP6 (class 0x03, flowlabel 0x03030, hlim 48, next-header Options (0) payload length: 12336) 3030:3030:3030:3030:3030:3030:3030:3030 > 130:3030:3030:3030:3030:3030:3030:3030: HBH [trunc] (header length 8 is too small for type 1)[|MOBILITY] diff --git a/tests/cve2015-0261-crash.pcap b/tests/cve2015-0261-crash.pcap Binary files differnew file mode 100644 index 00000000..c876c1ff --- /dev/null +++ b/tests/cve2015-0261-crash.pcap diff --git a/tests/cve2015-0261-ipv6.out b/tests/cve2015-0261-ipv6.out new file mode 100644 index 00000000..5edcddac --- /dev/null +++ b/tests/cve2015-0261-ipv6.out @@ -0,0 +1 @@ +EXIT CODE 00000100 diff --git a/tests/cve2015-0261-ipv6.pcap b/tests/cve2015-0261-ipv6.pcap Binary files differnew file mode 100644 index 00000000..a8a32ba9 --- /dev/null +++ b/tests/cve2015-0261-ipv6.pcap |