diff options
| author | Denis Ovsienko <denis@ovsienko.info> | 2017-01-09 01:01:46 +0000 |
|---|---|---|
| committer | Francois-Xavier Le Bail <fx.lebail@yahoo.com> | 2017-01-18 09:16:41 +0100 |
| commit | d6913f7e3fc6d3084ab64d179853468e58cdca4b (patch) | |
| tree | b0bb70ea32ca1559d09935768849a2fa91ff5a1a /print-ip6.c | |
| parent | 909fb30769e92d3f432b41d3eea3c0623bc03c84 (diff) | |
| download | tcpdump-d6913f7e3fc6d3084ab64d179853468e58cdca4b.tar.gz | |
CVE-2017-5204/IPv6: fix header printing
Add a few checks to ip6_print() to make it stop decoding the IPv6
headers immediately when the header-specific functions signal an error
condition. Without this it tried to fetch the next header selector for
the next round regardless and could run outside of the allocated packet
space on a specially crafted IPv6 packet.
Brian Carpenter has demonstrated this for the Hop-by-Hop Options header.
Fix that specific case and also the Destination Options and Fragment
header processing as those use the same logic.
Diffstat (limited to 'print-ip6.c')
| -rw-r--r-- | print-ip6.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/print-ip6.c b/print-ip6.c index 2e1803f0..9f590f2a 100644 --- a/print-ip6.c +++ b/print-ip6.c @@ -293,15 +293,19 @@ ip6_print(netdissect_options *ndo, const u_char *bp, u_int length) switch (nh) { case IPPROTO_HOPOPTS: advance = hbhopt_print(ndo, cp); + if (advance < 0) + return; nh = *cp; break; case IPPROTO_DSTOPTS: advance = dstopt_print(ndo, cp); + if (advance < 0) + return; nh = *cp; break; case IPPROTO_FRAGMENT: advance = frag6_print(ndo, cp, (const u_char *)ip6); - if (ndo->ndo_snapend <= cp + advance) + if (advance < 0 || ndo->ndo_snapend <= cp + advance) return; nh = *cp; fragmented = 1; |