diff options
| author | Denis Ovsienko <denis@ovsienko.info> | 2017-08-10 00:01:55 +0100 |
|---|---|---|
| committer | Denis Ovsienko <denis@ovsienko.info> | 2017-09-13 12:25:44 +0100 |
| commit | e6511cc1a950fe1566b2236329d6b4bd0826cc7a (patch) | |
| tree | d0b62fae41a9fae52afb1d8caaeeede275262cb7 /print-lldp.c | |
| parent | 83c64fce3a5226b080e535f5131a8a318f30e79b (diff) | |
| download | tcpdump-e6511cc1a950fe1566b2236329d6b4bd0826cc7a.tar.gz | |
CVE-2017-13054/LLDP: add a missing length check
In lldp_private_8023_print() the case block for subtype 4 (Maximum Frame
Size TLV, IEEE 802.3bc-2009 Section 79.3.4) did not include the length
check and could over-read the input buffer, put it right.
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.
Add a test using the capture file supplied by the reporter(s).
Diffstat (limited to 'print-lldp.c')
| -rw-r--r-- | print-lldp.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/print-lldp.c b/print-lldp.c index add7e6a5..e87b16bd 100644 --- a/print-lldp.c +++ b/print-lldp.c @@ -898,6 +898,9 @@ lldp_private_8023_print(netdissect_options *ndo, break; case LLDP_PRIVATE_8023_SUBTYPE_MTU: + if (tlv_len < 6) { + return hexdump; + } ND_PRINT((ndo, "\n\t MTU size %u", EXTRACT_16BITS(tptr + 4))); break; |