diff options
| author | Guy Harris <guy@alum.mit.edu> | 2017-02-04 15:33:12 -0800 |
|---|---|---|
| committer | Denis Ovsienko <denis@ovsienko.info> | 2017-09-13 12:25:44 +0100 |
| commit | de981e6070d168b58ec1bb0713ded77ed4ad87f4 (patch) | |
| tree | 7d62ebf31135108a32ddbb7859982e6cf493d9fd /print-eigrp.c | |
| parent | 7ac73d6cd41e9d4ac0ca7e6830ca390e195bb21c (diff) | |
| download | tcpdump-de981e6070d168b58ec1bb0713ded77ed4ad87f4.tar.gz | |
CVE-2017-12901/EIGRP: Do more length checks.
This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.
Add a test using the capture file supplied by the reporter(s).
Diffstat (limited to 'print-eigrp.c')
| -rw-r--r-- | print-eigrp.c | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/print-eigrp.c b/print-eigrp.c index 053933c5..aa113415 100644 --- a/print-eigrp.c +++ b/print-eigrp.c @@ -31,6 +31,7 @@ /* * packet format documented at * http://www.rhyshaden.com/eigrp.htm + * RFC 7868 */ struct eigrp_common_header { @@ -246,6 +247,12 @@ eigrp_print(netdissect_options *ndo, register const u_char *pptr, register u_int /* ok they seem to want to know everything - lets fully decode it */ + if (len < sizeof(struct eigrp_common_header)) { + ND_PRINT((ndo, "EIGRP %s, length: %u (too short, < %u)", + tok2str(eigrp_opcode_values, "unknown (%u)",eigrp_com_header->opcode), + len, (u_int) sizeof(struct eigrp_common_header))); + return; + } tlen=len-sizeof(struct eigrp_common_header); /* FIXME print other header info */ @@ -286,6 +293,11 @@ eigrp_print(netdissect_options *ndo, register const u_char *pptr, register u_int eigrp_tlv_type, eigrp_tlv_len)); + if (eigrp_tlv_len < sizeof(struct eigrp_tlv_header)) { + ND_PRINT((ndo, " (too short, < %u)", + (u_int) sizeof(struct eigrp_tlv_header))); + break; + } tlv_tptr=tptr+sizeof(struct eigrp_tlv_header); tlv_tlen=eigrp_tlv_len-sizeof(struct eigrp_tlv_header); @@ -296,6 +308,11 @@ eigrp_print(netdissect_options *ndo, register const u_char *pptr, register u_int case EIGRP_TLV_GENERAL_PARM: tlv_ptr.eigrp_tlv_general_parm = (const struct eigrp_tlv_general_parm_t *)tlv_tptr; + if (tlv_tlen < sizeof(*tlv_ptr.eigrp_tlv_general_parm)) { + ND_PRINT((ndo, " (too short, < %u)", + (u_int) (sizeof(struct eigrp_tlv_header) + sizeof(*tlv_ptr.eigrp_tlv_general_parm)))); + break; + } ND_PRINT((ndo, "\n\t holdtime: %us, k1 %u, k2 %u, k3 %u, k4 %u, k5 %u", EXTRACT_16BITS(tlv_ptr.eigrp_tlv_general_parm->holdtime), @@ -308,6 +325,11 @@ eigrp_print(netdissect_options *ndo, register const u_char *pptr, register u_int case EIGRP_TLV_SW_VERSION: tlv_ptr.eigrp_tlv_sw_version = (const struct eigrp_tlv_sw_version_t *)tlv_tptr; + if (tlv_tlen < sizeof(*tlv_ptr.eigrp_tlv_sw_version)) { + ND_PRINT((ndo, " (too short, < %u)", + (u_int) (sizeof(struct eigrp_tlv_header) + sizeof(*tlv_ptr.eigrp_tlv_sw_version)))); + break; + } ND_PRINT((ndo, "\n\t IOS version: %u.%u, EIGRP version %u.%u", tlv_ptr.eigrp_tlv_sw_version->ios_major, @@ -318,6 +340,11 @@ eigrp_print(netdissect_options *ndo, register const u_char *pptr, register u_int case EIGRP_TLV_IP_INT: tlv_ptr.eigrp_tlv_ip_int = (const struct eigrp_tlv_ip_int_t *)tlv_tptr; + if (tlv_tlen < sizeof(*tlv_ptr.eigrp_tlv_ip_int)) { + ND_PRINT((ndo, " (too short, < %u)", + (u_int) (sizeof(struct eigrp_tlv_header) + sizeof(*tlv_ptr.eigrp_tlv_ip_int)))); + break; + } bit_length = tlv_ptr.eigrp_tlv_ip_int->plen; if (bit_length > 32) { @@ -347,6 +374,11 @@ eigrp_print(netdissect_options *ndo, register const u_char *pptr, register u_int case EIGRP_TLV_IP_EXT: tlv_ptr.eigrp_tlv_ip_ext = (const struct eigrp_tlv_ip_ext_t *)tlv_tptr; + if (tlv_tlen < sizeof(*tlv_ptr.eigrp_tlv_ip_ext)) { + ND_PRINT((ndo, " (too short, < %u)", + (u_int) (sizeof(struct eigrp_tlv_header) + sizeof(*tlv_ptr.eigrp_tlv_ip_ext)))); + break; + } bit_length = tlv_ptr.eigrp_tlv_ip_ext->plen; if (bit_length > 32) { @@ -384,6 +416,11 @@ eigrp_print(netdissect_options *ndo, register const u_char *pptr, register u_int case EIGRP_TLV_AT_CABLE_SETUP: tlv_ptr.eigrp_tlv_at_cable_setup = (const struct eigrp_tlv_at_cable_setup_t *)tlv_tptr; + if (tlv_tlen < sizeof(*tlv_ptr.eigrp_tlv_at_cable_setup)) { + ND_PRINT((ndo, " (too short, < %u)", + (u_int) (sizeof(struct eigrp_tlv_header) + sizeof(*tlv_ptr.eigrp_tlv_at_cable_setup)))); + break; + } ND_PRINT((ndo, "\n\t Cable-range: %u-%u, Router-ID %u", EXTRACT_16BITS(&tlv_ptr.eigrp_tlv_at_cable_setup->cable_start), @@ -393,6 +430,11 @@ eigrp_print(netdissect_options *ndo, register const u_char *pptr, register u_int case EIGRP_TLV_AT_INT: tlv_ptr.eigrp_tlv_at_int = (const struct eigrp_tlv_at_int_t *)tlv_tptr; + if (tlv_tlen < sizeof(*tlv_ptr.eigrp_tlv_at_int)) { + ND_PRINT((ndo, " (too short, < %u)", + (u_int) (sizeof(struct eigrp_tlv_header) + sizeof(*tlv_ptr.eigrp_tlv_at_int)))); + break; + } ND_PRINT((ndo, "\n\t Cable-Range: %u-%u, nexthop: ", EXTRACT_16BITS(&tlv_ptr.eigrp_tlv_at_int->cable_start), @@ -416,6 +458,11 @@ eigrp_print(netdissect_options *ndo, register const u_char *pptr, register u_int case EIGRP_TLV_AT_EXT: tlv_ptr.eigrp_tlv_at_ext = (const struct eigrp_tlv_at_ext_t *)tlv_tptr; + if (tlv_tlen < sizeof(*tlv_ptr.eigrp_tlv_at_ext)) { + ND_PRINT((ndo, " (too short, < %u)", + (u_int) (sizeof(struct eigrp_tlv_header) + sizeof(*tlv_ptr.eigrp_tlv_at_ext)))); + break; + } ND_PRINT((ndo, "\n\t Cable-Range: %u-%u, nexthop: ", EXTRACT_16BITS(&tlv_ptr.eigrp_tlv_at_ext->cable_start), |