CVE-2017-13042/HNCP: add DHCPv6-Data bounds checks

hncp_print_rec() validates each HNCP TLV to be within the declared as well as the on-the-wire packet space. However, dhcpv6_print() in the same file didn't do the same for the DHCPv6 options within the HNCP DHCPv6-Data TLV value, which could cause an out-of-bounds read when decoding an invalid packet. Add missing checks to dhcpv6_print(). This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s).
author: Denis Ovsienko <denis@ovsienko.info> 2017-07-29 18:52:38 +0100
committer: Denis Ovsienko <denis@ovsienko.info> 2017-09-13 12:25:44 +0100
commit: 39582c04cc5e34054b2936b423072fb9df2ff6ef (patch)
tree: fe9574ee05d00aa37b0ff7252abb0c04b6ddbab4 /print-hncp.c
parent: f4b9e24c7384d882a7f434cc7413925bf871d63e (diff)
download: tcpdump-39582c04cc5e34054b2936b423072fb9df2ff6ef.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/print-hncp.c b/print-hncp.c
index 32adafa9..d0c9a3ea 100644
--- a/print-hncp.c
+++ b/print-hncp.c
@@ -318,6 +318,8 @@ dhcpv6_print(netdissect_options *ndo,
 
     i = 0;
     while (i < length) {
+        if (i + 4 > length)
+            return -1;
         tlv = cp + i;
         type = EXTRACT_16BITS(tlv);
         optlen = EXTRACT_16BITS(tlv + 2);
@@ -329,6 +331,8 @@ dhcpv6_print(netdissect_options *ndo,
 
         ND_PRINT((ndo, "%s", tok2str(dh6opt_str, "Unknown", type)));
         ND_PRINT((ndo," (%u)", optlen + 4 ));
+        if (i + 4 + optlen > length)
+            return -1;
 
         switch (type) {
             case DH6OPT_DNS_SERVERS:
author	Denis Ovsienko <denis@ovsienko.info>	2017-07-29 18:52:38 +0100
committer	Denis Ovsienko <denis@ovsienko.info>	2017-09-13 12:25:44 +0100
commit	39582c04cc5e34054b2936b423072fb9df2ff6ef (patch)
tree	fe9574ee05d00aa37b0ff7252abb0c04b6ddbab4 /print-hncp.c
parent	f4b9e24c7384d882a7f434cc7413925bf871d63e (diff)
download	tcpdump-39582c04cc5e34054b2936b423072fb9df2ff6ef.tar.gz