CVE-2017-5204/IPv6: fix header printing

Add a few checks to ip6_print() to make it stop decoding the IPv6 headers immediately when the header-specific functions signal an error condition. Without this it tried to fetch the next header selector for the next round regardless and could run outside of the allocated packet space on a specially crafted IPv6 packet. Brian Carpenter has demonstrated this for the Hop-by-Hop Options header. Fix that specific case and also the Destination Options and Fragment header processing as those use the same logic.
author: Denis Ovsienko <denis@ovsienko.info> 2017-01-09 01:01:46 +0000
committer: Francois-Xavier Le Bail <fx.lebail@yahoo.com> 2017-01-18 09:16:41 +0100
commit: d6913f7e3fc6d3084ab64d179853468e58cdca4b (patch)
tree: b0bb70ea32ca1559d09935768849a2fa91ff5a1a /tests/ipv6hdr-heapoverflow-v.out
parent: 909fb30769e92d3f432b41d3eea3c0623bc03c84 (diff)
download: tcpdump-d6913f7e3fc6d3084ab64d179853468e58cdca4b.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/tests/ipv6hdr-heapoverflow-v.out b/tests/ipv6hdr-heapoverflow-v.out
new file mode 100644
index 00000000..4e3730a1
--- /dev/null
+++ b/tests/ipv6hdr-heapoverflow-v.out
@@ -0,0 +1 @@
+IP6 (class 0x33, flowlabel 0x03030, hlim 48, next-header Options (0) payload length: 12336) 3030:3030:3030:3030:3030:3030:3030:3030 > 3030:3030:3030:3030:3030:3030:3030:3030: HBH [trunc] [|HBH]
author	Denis Ovsienko <denis@ovsienko.info>	2017-01-09 01:01:46 +0000
committer	Francois-Xavier Le Bail <fx.lebail@yahoo.com>	2017-01-18 09:16:41 +0100
commit	d6913f7e3fc6d3084ab64d179853468e58cdca4b (patch)
tree	b0bb70ea32ca1559d09935768849a2fa91ff5a1a /tests/ipv6hdr-heapoverflow-v.out
parent	909fb30769e92d3f432b41d3eea3c0623bc03c84 (diff)
download	tcpdump-d6913f7e3fc6d3084ab64d179853468e58cdca4b.tar.gz