File tcpdump-CVE-2018-16230.patch of Package tcpdump.22839

Overview Repositories Revisions Requests Users Attributes Meta

File tcpdump-CVE-2018-16230.patch of Package tcpdump.22839

From 13d52e9c0e7caf7e6325b0051bc90a49968be67f Mon Sep 17 00:00:00 2001
From: Denis Ovsienko <denis@ovsienko.info>
Date: Thu, 23 Aug 2018 22:09:16 +0100
Subject: [PATCH] (for 4.9.3) CVE-2018-16230/BGP: fix decoding of MP_REACH_NLRI

When bgp_attr_print() tried to decode the variable-length nexthop value
for the NSAP VPN case, it did not check that the declared length is good
to interpret the value as a mapped IPv4 or IPv6 address. Add missing
checks to make this safe.

This fixes a buffer over-read discovered by Include Security working
under the Mozilla SOS program in 2018 by means of code audit.

Bhargava Shastry, SecT/TU Berlin, had independently identified this
vulnerability by means of fuzzing and provided the packet capture file
for the test.
---
 print-bgp.c                       |   6 +-
 tests/TESTLIST                    |   1 +
 tests/bgp_mp_reach_nlri-oobr.out  | 277 ++++++++++++++++++++++++++++++
 tests/bgp_mp_reach_nlri-oobr.pcap | Bin 0 -> 2789 bytes
 4 files changed, 282 insertions(+), 2 deletions(-)
 create mode 100644 tests/bgp_mp_reach_nlri-oobr.out
 create mode 100644 tests/bgp_mp_reach_nlri-oobr.pcap

diff --git a/print-bgp.c b/print-bgp.c
index b02827ed2..e9b4c2bd9 100644
--- a/print-bgp.c
+++ b/print-bgp.c
@@ -1700,10 +1700,12 @@ bgp_attr_print(netdissect_options *ndo,
                                        bgp_vpn_rd_print(ndo, tptr),
                                        isonsap_string(ndo, tptr+BGP_VPN_RD_LEN,tlen-BGP_VPN_RD_LEN)));
                                 /* rfc986 mapped IPv4 address ? */
-                                if (EXTRACT_32BITS(tptr+BGP_VPN_RD_LEN) ==  0x47000601)
+                                if (tlen == BGP_VPN_RD_LEN + 4 + sizeof(struct in_addr)
+                                    && EXTRACT_32BITS(tptr+BGP_VPN_RD_LEN) ==  0x47000601)
                                     ND_PRINT((ndo, " = %s", ipaddr_string(ndo, tptr+BGP_VPN_RD_LEN+4)));
                                 /* rfc1888 mapped IPv6 address ? */
-                                else if (EXTRACT_24BITS(tptr+BGP_VPN_RD_LEN) ==  0x350000)
+                                else if (tlen == BGP_VPN_RD_LEN + 3 + sizeof(struct in6_addr)
+                                         && EXTRACT_24BITS(tptr+BGP_VPN_RD_LEN) ==  0x350000)
                                     ND_PRINT((ndo, " = %s", ip6addr_string(ndo, tptr+BGP_VPN_RD_LEN+3)));
                                 tptr += tlen;
                                 tlen = 0;

Places

File tcpdump-CVE-2018-16230.patch of Package tcpdump.22839

Places