diff options
author | Guy Harris <guy@alum.mit.edu> | 2017-02-03 15:34:18 -0800 |
---|---|---|
committer | Denis Ovsienko <denis@ovsienko.info> | 2017-07-22 23:57:42 +0100 |
commit | d9e65de3d94698ec90dbca42962a30dd2f0680e1 (patch) | |
tree | ff24265ba30eb3ed342af50641956c891a8323db /print-stp.c | |
parent | 1bf91b1413a6d0eefb4c49bafdb612befa838556 (diff) | |
download | tcpdump-d9e65de3d94698ec90dbca42962a30dd2f0680e1.tar.gz |
CVE-2017-11108/Fix bounds checking for STP.
Check whether the flags are in the captured data before printing them in
an MSTP BPDU.
Check whether V4 length is in the captured data before fetching it.
This fixes a vulnerability discovered by Kamil Frankowicz.
Include a test for the "check whether the V4 length is..." fix, using
the capture supplied by Kamil Frankowicz.
Diffstat (limited to 'print-stp.c')
-rw-r--r-- | print-stp.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/print-stp.c b/print-stp.c index 2f5c9175..ee0627ca 100644 --- a/print-stp.c +++ b/print-stp.c @@ -256,6 +256,7 @@ stp_print_mstp_bpdu(netdissect_options *ndo, const struct stp_bpdu_ *stp_bpdu, return 1; } + ND_TCHECK(stp_bpdu->flags); ND_PRINT((ndo, "\n\tport-role %s, ", tok2str(rstp_obj_port_role_values, "Unknown", RSTP_EXTRACT_PORT_ROLE(stp_bpdu->flags)))); @@ -475,6 +476,7 @@ stp_print(netdissect_options *ndo, const u_char *p, u_int length) if (stp_bpdu->protocol_version == STP_PROTO_SPB) { /* Validate v4 length */ + ND_TCHECK_16BITS(p + MST_BPDU_VER3_LEN_OFFSET + mstp_len); spb_len = EXTRACT_16BITS (p + MST_BPDU_VER3_LEN_OFFSET + mstp_len); spb_len += 2; if (length < (sizeof(struct stp_bpdu_) + mstp_len + spb_len) || |