Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12:Update
tcpdump.2563
0003-test-case-for-cve2015-0261-corrupted-IPv6-...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0003-test-case-for-cve2015-0261-corrupted-IPv6-mobility-h.patch of Package tcpdump.2563
From 089ec2bd856dd17f6db62150b92ab7bb723bb31f Mon Sep 17 00:00:00 2001 From: Michael Richardson <mcr@sandelman.ca> Date: Sun, 15 Feb 2015 21:22:11 -0500 Subject: [PATCH 3/3] test case for cve2015-0261 -- corrupted IPv6 mobility header backport to 4.3 --- print-mobility.c | 26 +++++++++++++++++++++++--- tests/TESTLIST | 21 +++++++++++++-------- tests/cve2015-0261-crash.out | 1 + tests/cve2015-0261-crash.pcap | Bin 0 -> 201 bytes tests/cve2015-0261-ipv6.out | 3 +++ tests/cve2015-0261-ipv6.pcap | Bin 0 -> 682 bytes 6 files changed, 40 insertions(+), 11 deletions(-) create mode 100644 tests/cve2015-0261-crash.out create mode 100644 tests/cve2015-0261-crash.pcap create mode 100644 tests/cve2015-0261-ipv6.out create mode 100644 tests/cve2015-0261-ipv6.pcap Index: tcpdump-4.4.0/print-mobility.c =================================================================== --- tcpdump-4.4.0.orig/print-mobility.c 2013-02-21 04:54:35.000000000 +0100 +++ tcpdump-4.4.0/print-mobility.c 2015-03-19 18:29:35.894271954 +0100 @@ -1,7 +1,7 @@ /* * Copyright (C) 2002 WIDE Project. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -13,7 +13,7 @@ * 3. Neither the name of the project nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -74,6 +74,18 @@ struct ip6_mobility { #define IP6M_BINDING_UPDATE 5 /* Binding Update */ #define IP6M_BINDING_ACK 6 /* Binding Acknowledgement */ #define IP6M_BINDING_ERROR 7 /* Binding Error */ +#define IP6M_MAX 7 + +static const unsigned ip6m_hdrlen[IP6M_MAX + 1] = { + IP6M_MINLEN, /* IP6M_BINDING_REQUEST */ + IP6M_MINLEN + 8, /* IP6M_HOME_TEST_INIT */ + IP6M_MINLEN + 8, /* IP6M_CAREOF_TEST_INIT */ + IP6M_MINLEN + 16, /* IP6M_HOME_TEST */ + IP6M_MINLEN + 16, /* IP6M_CAREOF_TEST */ + IP6M_MINLEN + 4, /* IP6M_BINDING_UPDATE */ + IP6M_MINLEN + 4, /* IP6M_BINDING_ACK */ + IP6M_MINLEN + 16, /* IP6M_BINDING_ERROR */ +}; /* Mobility Header Options */ #define IP6MOPT_MINLEN 2 @@ -95,16 +107,20 @@ mobility_opt_print(const u_char *bp, int int optlen; for (i = 0; i < len; i += optlen) { + TCHECK(bp[i]); if (bp[i] == IP6MOPT_PAD1) optlen = 1; else { - if (i + 1 < len) + if (i + 1 < len) { + TCHECK(bp[i + 1]); optlen = bp[i + 1] + 2; + } else goto trunc; } if (i + optlen > len) goto trunc; + TCHECK(bp[i + optlen]); switch (bp[i]) { case IP6MOPT_PAD1: @@ -201,6 +217,10 @@ mobility_print(const u_char *bp, const u TCHECK(mh->ip6m_type); type = mh->ip6m_type; + if (type <= IP6M_MAX && mhlen < ip6m_hdrlen[type]) { + printf("(header length %u is too small for type %u)", mhlen, type); + goto trunc; + } switch (type) { case IP6M_BINDING_REQUEST: printf("mobility: BRR");
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor