CVE-2017-13038/PPP: Do bounds checking.

This fixes a buffer over-read discovered by Brian 'geeknik' Carpenter. Add a test using the capture file supplied by Katie Holly.
the-tcpdump-group · Sep 13, 2017 · 7335163 · 7335163
1 parent 3cb7c9a
commit 7335163
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 0 deletions.
diff --git a/print-ppp.c b/print-ppp.c
@@ -811,6 +811,15 @@ handle_mlppp(netdissect_options *ndo,
     if (!ndo->ndo_eflag)
         ND_PRINT((ndo, "MLPPP, "));
 
+    if (length < 2) {
+        ND_PRINT((ndo, "[|mlppp]"));
+        return;
+    }
+    if (!ND_TTEST_16BITS(p)) {
+        ND_PRINT((ndo, "[|mlppp]"));
+        return;
+    }
+
     ND_PRINT((ndo, "seq 0x%03x, Flags [%s], length %u",
            (EXTRACT_16BITS(p))&0x0fff, /* only support 12-Bit sequence space for now */
            bittok2str(ppp_ml_flag_values, "none", *p & 0xc0),

diff --git a/tests/TESTLIST b/tests/TESTLIST
@@ -554,6 +554,9 @@ radius_attr_asan	radius_attr_asan.pcap		radius_attr_asan.out	-v
 ospf6_decode_v3_asan	ospf6_decode_v3_asan.pcap	ospf6_decode_v3_asan.out -v
 ip_ts_opts_asan		ip_ts_opts_asan.pcap		ip_ts_opts_asan.out	-v
 
+# bad packets from Katie Holly
+mlppp-oobr		mlppp-oobr.pcap			mlppp-oobr.out
+
 # RTP tests
 # fuzzed pcap
 rtp-seg-fault-1  rtp-seg-fault-1.pcap  rtp-seg-fault-1.out  -v -T rtp

diff --git a/tests/mlppp-oobr.out b/tests/mlppp-oobr.out
@@ -0,0 +1 @@
+MLPPP, [|mlppp]
diff --git a/tests/mlppp-oobr.pcap b/tests/mlppp-oobr.pcap