CVE-2017-12986/IPv6 R.H.: Update to reflect the actual IPv6 RFC.

In RFC 1883, the Type 0 routing header had a 1-byte reserved field and a 3-byte strict/loose bit map; in RFC 2460, that changed to a 4-byte reserved field. This fixes a buffer over-read discovered by Brian 'geeknik' Carpenter (by making an ND_TCHECK() call check for the presence in the captured data of all 4 bytes of the reserved field; we were printing it as a 4-byte field, so we needed to check for them). Add a test using the capture file supplied by the reporter(s).
author: Guy Harris <guy@alum.mit.edu> 2017-02-04 14:06:23 -0800
committer: Denis Ovsienko <denis@ovsienko.info> 2017-09-13 12:25:44 +0100
commit: 7ac73d6cd41e9d4ac0ca7e6830ca390e195bb21c (patch)
tree: 36ec33f377c8df647515a4c1016c42f0a9c81488 /ip6.h
parent: 3c4d7c0ee30a30e5abff3d6d9586a3753101faf5 (diff)
download: tcpdump-7ac73d6cd41e9d4ac0ca7e6830ca390e195bb21c.tar.gz
1 files changed, 2 insertions, 3 deletions
diff --git a/ip6.h b/ip6.h
index 2ea1d0ab..98620341 100644
--- a/ip6.h
+++ b/ip6.h
@@ -181,9 +181,8 @@ struct ip6_rthdr0 {
 	uint8_t  ip6r0_nxt;		/* next header */
 	uint8_t  ip6r0_len;		/* length in units of 8 octets */
 	uint8_t  ip6r0_type;		/* always zero */
-	uint8_t  ip6r0_segleft;	/* segments left */
-	uint8_t  ip6r0_reserved;	/* reserved field */
-	uint8_t  ip6r0_slmap[3];	/* strict/loose bit map */
+	uint8_t  ip6r0_segleft;		/* segments left */
+	uint32_t ip6r0_reserved;	/* reserved field */
 	struct in6_addr ip6r0_addr[1];	/* up to 23 addresses */
 } UNALIGNED;
author	Guy Harris <guy@alum.mit.edu>	2017-02-04 14:06:23 -0800
committer	Denis Ovsienko <denis@ovsienko.info>	2017-09-13 12:25:44 +0100
commit	7ac73d6cd41e9d4ac0ca7e6830ca390e195bb21c (patch)
tree	36ec33f377c8df647515a4c1016c42f0a9c81488 /ip6.h
parent	3c4d7c0ee30a30e5abff3d6d9586a3753101faf5 (diff)
download	tcpdump-7ac73d6cd41e9d4ac0ca7e6830ca390e195bb21c.tar.gz