CVE-2017-12997/LLDP: Don't use an 8-bit loop counter.

If you have a for (i = 0; i < N; i++) loop, you'd better make sure that i is big enough to hold N - not N-1, N. The TLV length here is 9 bits long, not 8 bits long, so an 8-bit loop counter will overflow and you can loop infinitely. This fixes an infinite loop discovered by Forcepoint's security researchers Otto Airamo & Antti Levomäki. Add tests using the capture files supplied by the reporter(s). Clean up the output a bit while we're at it.
author: Guy Harris <guy@alum.mit.edu> 2017-02-13 11:11:42 -0800
committer: Denis Ovsienko <denis@ovsienko.info> 2017-09-13 12:25:44 +0100
commit: 34cec721d39c76be1e0a600829a7b17bdfb832b6 (patch)
tree: 5c331b78a4674ebac62d19eda6f8ef163274a3a4
parent: 979dcefd7b259e9e233f77fe1c5312793bfd948f (diff)
download: tcpdump-34cec721d39c76be1e0a600829a7b17bdfb832b6.tar.gz
6 files changed, 301 insertions, 4 deletions
diff --git a/print-lldp.c b/print-lldp.c
index fbafd6d5..dfdf1b94 100644
--- a/print-lldp.c
+++ b/print-lldp.c
@@ -651,7 +651,7 @@ lldp_private_8021_print(netdissect_options *ndo,
     int subtype, hexdump = FALSE;
     u_int sublen;
     u_int tval;
-    uint8_t i;
+    u_int i;
 
     if (tlv_len < 4) {
         return hexdump;
@@ -787,9 +787,9 @@ lldp_private_8021_print(netdissect_options *ndo,
         ND_PRINT((ndo, "\n\t    Application Priority Table"));
         while(i<sublen) {
         	tval=*(tptr+i+5);
-        	ND_PRINT((ndo, "\n\t      Priority: %d, RES: %d, Sel: %d",
-        		 tval >> 5, (tval >> 3) & 0x03, (tval & 0x07)));
-        	ND_PRINT((ndo, "Protocol ID: %d", EXTRACT_16BITS(tptr + i + 5)));
+        	ND_PRINT((ndo, "\n\t      Priority: %u, RES: %u, Sel: %u, Protocol ID: %u",
+        		 tval >> 5, (tval >> 3) & 0x03, (tval & 0x07),
+        		 EXTRACT_16BITS(tptr + i + 5)));
         	i=i+3;
         }
         break;
diff --git a/tests/TESTLIST b/tests/TESTLIST
index 5633053b..ef8bffc7 100644
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -479,6 +479,8 @@ dns_fwdptr		dns_fwdptr.pcap			dns_fwdptr.out		-vvv -e
 isis-areaaddr-oobr-1	isis-areaaddr-oobr-1.pcap	isis-areaaddr-oobr-1.out		-vvv -e
 isis-areaaddr-oobr-2	isis-areaaddr-oobr-2.pcap	isis-areaaddr-oobr-2.out		-vvv -e
 isis-extd-ipreach-oobr	isis-extd-ipreach-oobr.pcap	isis-extd-ipreach-oobr.out		-vvv -e
+lldp-infinite-loop-1	lldp-infinite-loop-1.pcap	lldp-infinite-loop-1.out		-vvv -e
+lldp-infinite-loop-2	lldp-infinite-loop-2.pcap	lldp-infinite-loop-2.out		-vvv -e
 
 # RTP tests
 # fuzzed pcap
diff --git a/tests/lldp-infinite-loop-1.out b/tests/lldp-infinite-loop-1.out
new file mode 100644
index 00000000..31ba7100
--- /dev/null
+++ b/tests/lldp-infinite-loop-1.out
@@ -0,0 +1,134 @@
+08:00:27:42:ba:59 > 01:80:c2:00:00:0e, ethertype LLDP (0x88cc), length 1755: LLDP, length 1741
+	Chassis ID TLV (1), length 7
+	  Subtype MAC address (4): 08:00:27:42:ba:59
+	  0x0000:  0408 0027 42ba 59
+	Port ID TLV (2), length 7
+	  Subtype MAC address (3): 08:00:27:42:ba:59
+	  0x0000:  0308 0027 42ba 59
+	Time to Live TLV (3), length 2: TTL 120s
+	  0x0000:  0078
+	Organization specific TLV (127), length 6: OUI Ethernet bridged (0x0080c2)
+	  Port VLAN Id Subtype (1)
+	    port vlan id (PVID): 0
+	  0x0000:  0080 c201 0000
+	Organization specific TLV (127), length 7: OUI Ethernet bridged (0x0080c2)
+	  Port and Protocol VLAN ID Subtype (2)
+	    port and protocol vlan id (PPVID): 0, flags [supported] (0x02)
+	  0x0000:  0080 c202 0200 00
+	Organization specific TLV (127), length 14: OUI Ethernet bridged (0x0080c2)
+	  VLAN name Subtype (3)
+	    vlan id (VID): 1
+	    vlan name: default
+	  0x0000:  0080 c203 0001 0764 6566 6175 6c74
+	Organization specific TLV (127), length 13: OUI Ethernet bridged (0x0080c2)
+	  Protocol Identity Subtype (4)
+	    protocol identity: 
+	  0x0000:  0080 c204 0800 0042 4203 0080 08
+	Organization specific TLV (127), length 263: OUI Ethernet bridged (0x0080c2)
+	  Application Priority Subtype (12)
+	    RES: 0
+	    Application Priority Table
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 128
+	      Priority: 0, RES: 1, Sel: 4, Protocol ID: 3072
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 4, RES: 0, Sel: 0, Protocol ID: 32962
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 6, RES: 0, Sel: 2, Protocol ID: 49676
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 128
+	      Priority: 0, RES: 1, Sel: 4, Protocol ID: 3072
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 4, RES: 0, Sel: 0, Protocol ID: 32962
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 6, RES: 0, Sel: 2, Protocol ID: 49676
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 128
+	      Priority: 0, RES: 1, Sel: 4, Protocol ID: 3072
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 4, RES: 0, Sel: 0, Protocol ID: 32962
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 6, RES: 0, Sel: 2, Protocol ID: 49676
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 128
+	      Priority: 0, RES: 1, Sel: 4, Protocol ID: 3072
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 4, RES: 0, Sel: 0, Protocol ID: 32962
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 6, RES: 0, Sel: 2, Protocol ID: 49676
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 128
+	      Priority: 0, RES: 1, Sel: 4, Protocol ID: 3072
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 4, RES: 0, Sel: 0, Protocol ID: 32962
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 6, RES: 0, Sel: 2, Protocol ID: 49676
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 128
+	      Priority: 0, RES: 1, Sel: 4, Protocol ID: 3072
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 4, RES: 0, Sel: 0, Protocol ID: 32962
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 6, RES: 0, Sel: 2, Protocol ID: 49676
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 128
+	      Priority: 0, RES: 1, Sel: 4, Protocol ID: 3072
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 4, RES: 0, Sel: 0, Protocol ID: 32962
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 6, RES: 0, Sel: 2, Protocol ID: 49676
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 128
+	      Priority: 0, RES: 1, Sel: 4, Protocol ID: 3072
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 4, RES: 0, Sel: 0, Protocol ID: 32962
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	      Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+	  0x0000:  0080 c20c 0000 0000 0000 0000 80c2 0c00
+	  0x0010:  0000 0000 0000 0080 c20c 0000 0000 0000
+	  0x0020:  0000 80c2 0c00 0000 0000 0000 0080 c20c
+	  0x0030:  0000 0000 0000 0000 80c2 0c00 0000 0000
+	  0x0040:  0000 0080 c20c 0000 0000 0000 0000 80c2
+	  0x0050:  0c00 0000 0000 0000 0080 c20c 0000 0000
+	  0x0060:  0000 0000 80c2 0c00 0000 0000 0000 0080
+	  0x0070:  c20c 0000 0000 0000 0000 80c2 0c00 0000
+	  0x0080:  0000 0000 0080 c20c 0000 0000 0000 0000
+	  0x0090:  80c2 0c00 0000 0000 0000 0080 c20c 0000
+	  0x00a0:  0000 0000 0000 80c2 0c00 0000 0000 0000
+	  0x00b0:  0080 c20c 0000 0000 0000 0000 80c2 0c00
+	  0x00c0:  0000 0000 0000 0080 c20c 0000 0000 0000
+	  0x00d0:  0000 80c2 0c00 0000 0000 0000 0080 c20c
+	  0x00e0:  0000 0000 0000 0000 80c2 0c00 0000 0000
+	  0x00f0:  0000 0080 c20c 0000 0000 0000 0000 80c2
+	  0x0100:  0c00 0000 0000 00
+	End TLV (0), length 0
diff --git a/tests/lldp-infinite-loop-1.pcap b/tests/lldp-infinite-loop-1.pcap
new file mode 100644
index 00000000..232dbbd2
--- /dev/null
+++ b/tests/lldp-infinite-loop-1.pcap
diff --git a/tests/lldp-infinite-loop-2.out b/tests/lldp-infinite-loop-2.out
new file mode 100644
index 00000000..40166813
--- /dev/null
+++ b/tests/lldp-infinite-loop-2.out
@@ -0,0 +1,161 @@
+08:00:27:0d:f1:3c > 01:80:c2:00:00:0e, ethertype LLDP (0x88cc), length 2130: LLDP, length 2116
+	Chassis ID TLV (1), length 7
+	  Subtype MAC address (4): 08:00:27:0d:f1:3c
+	  0x0000:  0408 0027 0df1 3c
+	Port ID TLV (2), length 7
+	  Subtype MAC address (3): 08:00:27:0d:f1:3c
+	  0x0000:  0308 0027 0df1 3c
+	Time to Live TLV (3), length 2: TTL 120s
+	  0x0000:  0078
+	Organization specific TLV (127), length 6: OUI Ethernet bridged (0x0080c2)
+	  Port VLAN Id Subtype (1)
+	    port vlan id (PVID): 1
+	  0x0000:  0080 c201 0001
+	Organization specific TLV (127), length 7: OUI Ethernet bridged (0x0080c2)
+	  Port and Protocol VLAN ID Subtype (2)
+	    port and protocol vlan id (PPVID): 0, flags [supported] (0x02)
+	  0x0000:  0080 c202 0200 00
+	Organization specific TLV (127), length 14: OUI Ethernet bridged (0x0080c2)
+	  VLAN name Subtype (3)
+	    vlan id (VID): 1
+	    vlan name: default
+	  0x0000:  0080 c203 0001 0764 6566 6175 6c74
+	Organization specific TLV (127), length 13: OUI Ethernet bridged (0x0080c2)
+	  Protocol Identity Subtype (4)
+	    protocol identity: 
+	  0x0000:  0080 c204 0800 0042 4203 0000 03
+	Organization specific TLV (127), length 9: OUI Ethernet bridged (0x0080c2)
+	  EVB Subtype (13)
+	    EVB Bridge Status
+	      RES: 0, BGID: 0, RRCAP: 1, RRCTR: 0
+	    EVB Station Status
+	      RES: 0, SGID: 0, RRREQ: 0,RRSTAT: 0
+	    R: 7, RTE: 21, EVB Mode: EVB Bridge [1]
+	    ROL: 0, RWD: 30, RES: 0, ROL: 0, RKA: 15
+	  0x0000:  0080 c20d 0200 f55e 0f
+	Organization specific TLV (127), length 266: OUI Ethernet bridged (0x0080c2)
+	  CDCP Subtype (14)
+	    Role: 0, RES: 0, Scomp: 0 ChnCap: 167
+	    SCID: 1, SVID: 1
+	    SCID: 0, SVID: 194
+	    SCID: 224, SVID: 0
+	    SCID: 10, SVID: 1792
+	    SCID: 256, SVID: 256
+	    SCID: 12, SVID: 526
+	    SCID: 0, SVID: 0
+	    SCID: 2672, SVID: 16
+	    SCID: 16, SVID: 0
+	    SCID: 3104, SVID: 3584
+	    SCID: 0, SVID: 167
+	    SCID: 1, SVID: 1
+	    SCID: 0, SVID: 194
+	    SCID: 224, SVID: 0
+	    SCID: 10, SVID: 1792
+	    SCID: 256, SVID: 256
+	    SCID: 12, SVID: 526
+	    SCID: 0, SVID: 0
+	    SCID: 2672, SVID: 16
+	    SCID: 16, SVID: 0
+	    SCID: 3104, SVID: 3584
+	    SCID: 0, SVID: 167
+	    SCID: 1, SVID: 1
+	    SCID: 0, SVID: 194
+	    SCID: 224, SVID: 0
+	    SCID: 10, SVID: 1792
+	    SCID: 256, SVID: 256
+	    SCID: 12, SVID: 526
+	    SCID: 0, SVID: 0
+	    SCID: 2672, SVID: 16
+	    SCID: 16, SVID: 0
+	    SCID: 3104, SVID: 3584
+	    SCID: 0, SVID: 167
+	    SCID: 1, SVID: 1
+	    SCID: 0, SVID: 194
+	    SCID: 224, SVID: 0
+	    SCID: 10, SVID: 1792
+	    SCID: 256, SVID: 256
+	    SCID: 12, SVID: 526
+	    SCID: 0, SVID: 0
+	    SCID: 2672, SVID: 16
+	    SCID: 16, SVID: 0
+	    SCID: 3104, SVID: 3584
+	    SCID: 0, SVID: 167
+	    SCID: 1, SVID: 1
+	    SCID: 0, SVID: 194
+	    SCID: 224, SVID: 0
+	    SCID: 10, SVID: 1792
+	    SCID: 256, SVID: 256
+	    SCID: 12, SVID: 526
+	    SCID: 0, SVID: 0
+	    SCID: 2672, SVID: 16
+	    SCID: 16, SVID: 0
+	    SCID: 3104, SVID: 3584
+	    SCID: 0, SVID: 167
+	    SCID: 1, SVID: 1
+	    SCID: 0, SVID: 194
+	    SCID: 224, SVID: 0
+	    SCID: 10, SVID: 1792
+	    SCID: 256, SVID: 256
+	    SCID: 12, SVID: 526
+	    SCID: 0, SVID: 0
+	    SCID: 2672, SVID: 16
+	    SCID: 16, SVID: 0
+	    SCID: 3104, SVID: 3584
+	    SCID: 0, SVID: 167
+	    SCID: 1, SVID: 1
+	    SCID: 0, SVID: 194
+	    SCID: 224, SVID: 0
+	    SCID: 10, SVID: 1792
+	    SCID: 256, SVID: 256
+	    SCID: 12, SVID: 526
+	    SCID: 0, SVID: 0
+	    SCID: 2672, SVID: 16
+	    SCID: 16, SVID: 0
+	    SCID: 3104, SVID: 3584
+	    SCID: 0, SVID: 167
+	    SCID: 1, SVID: 1
+	    SCID: 0, SVID: 194
+	    SCID: 224, SVID: 0
+	    SCID: 10, SVID: 1792
+	    SCID: 256, SVID: 256
+	    SCID: 12, SVID: 526
+	    SCID: 0, SVID: 0
+	    SCID: 2672, SVID: 16
+	    SCID: 16, SVID: 0
+	  0x0000:  0080 c20e 0000 00a7 0010 0100 00c2 0e00
+	  0x0010:  0000 a700 1001 0000 c20e 0000 00a7 0010
+	  0x0020:  0100 00c2 0e00 0000 a700 1001 0000 c20e
+	  0x0030:  0000 00a7 0010 0100 00c2 0e00 0000 a700
+	  0x0040:  1001 0000 c20e 0000 00a7 0010 0100 00c2
+	  0x0050:  0e00 0000 a700 1001 0000 c20e 0000 00a7
+	  0x0060:  0010 0100 00c2 0e00 0000 a700 1001 0000
+	  0x0070:  c20e 0000 00a7 0010 0100 00c2 0e00 0000
+	  0x0080:  a700 1001 0000 c20e 0000 00a7 0010 0100
+	  0x0090:  00c2 0e00 0000 a700 1001 0000 c20e 0000
+	  0x00a0:  00a7 0010 0100 00c2 0e00 0000 a700 1001
+	  0x00b0:  0000 c20e 0000 00a7 0010 0100 00c2 0e00
+	  0x00c0:  0000 a700 1001 0000 c20e 0000 00a7 0010
+	  0x00d0:  0100 00c2 0e00 0000 a700 1001 0000 c20e
+	  0x00e0:  0000 00a7 0010 0100 00c2 0e00 0000 a700
+	  0x00f0:  1001 0000 c20e 0000 00a7 0010 0100 00c2
+	  0x0100:  0e00 0000 a700 1001 0000
+	Unknown TLV (97), length 14
+	  0x0000:  0000 00a7 0010 0100 00c2 0e00 0000
+	Unknown TLV (83), length 256
+	  0x0000:  1001 0000 c20e 0000 00a7 0010 0100 00c2
+	  0x0010:  0e00 0000 a700 1001 0000 c20e 0000 00a7
+	  0x0020:  0010 0100 00c2 0e00 0000 a700 1001 0000
+	  0x0030:  c20e 0000 00a7 0010 0100 00c2 0e00 0000
+	  0x0040:  a700 1001 0000 c20e 0000 00a7 0010 0100
+	  0x0050:  00c2 0e00 0000 a700 1001 0000 c20e 0000
+	  0x0060:  00a7 0010 0100 00c2 0e00 0000 a700 1001
+	  0x0070:  0000 c20e 0000 00a7 0010 0100 00c2 0e00
+	  0x0080:  0000 a700 1001 0000 c20e 0000 00a7 0010
+	  0x0090:  0100 00c2 0e00 0000 a700 1001 0000 c20e
+	  0x00a0:  0000 00a7 0010 0100 00c2 0e00 0000 a700
+	  0x00b0:  1001 0000 c20e 0000 00a7 0010 0100 00c2
+	  0x00c0:  0e00 0000 a700 1001 0000 c20e 0000 00a7
+	  0x00d0:  0010 0100 00c2 0e00 0000 a700 1001 0000
+	  0x00e0:  c20e 0000 00a7 0010 0100 00c2 0e00 0000
+	  0x00f0:  a700 1001 0000 c20e 0000 00a7 0010 0100
+	End TLV (0), length 194
diff --git a/tests/lldp-infinite-loop-2.pcap b/tests/lldp-infinite-loop-2.pcap
new file mode 100644
index 00000000..e8599831
--- /dev/null
+++ b/tests/lldp-infinite-loop-2.pcap
author	Guy Harris <guy@alum.mit.edu>	2017-02-13 11:11:42 -0800
committer	Denis Ovsienko <denis@ovsienko.info>	2017-09-13 12:25:44 +0100
commit	34cec721d39c76be1e0a600829a7b17bdfb832b6 (patch)
tree	5c331b78a4674ebac62d19eda6f8ef163274a3a4
parent	979dcefd7b259e9e233f77fe1c5312793bfd948f (diff)
download	tcpdump-34cec721d39c76be1e0a600829a7b17bdfb832b6.tar.gz