CVE-2017-13024/IPv6 mobility: Add a bounds check before fetching data
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.
Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't cause 'tcpdump: pcap_loop: truncated dump file'
diff --git a/print-mobility.c b/print-mobility.c
index 64497b3..21a0fba 100644
--- a/print-mobility.c
+++ b/print-mobility.c
@@ -166,6 +166,8 @@
ND_PRINT((ndo, "(ni: trunc)"));
goto trunc;
}
+ ND_TCHECK_16BITS(&bp[i+2]);
+ ND_TCHECK_16BITS(&bp[i+4]);
ND_PRINT((ndo, "(ni: ho=0x%04x co=0x%04x)",
EXTRACT_16BITS(&bp[i+2]),
EXTRACT_16BITS(&bp[i+4])));
diff --git a/tests/TESTLIST b/tests/TESTLIST
index 3e21596..e0caaa3 100644
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -525,6 +525,7 @@
icmp6_mobileprefix_asan icmp6_mobileprefix_asan.pcap icmp6_mobileprefix_asan.out -v
ip_printroute_asan ip_printroute_asan.pcap ip_printroute_asan.out -v
mobility_opt_asan mobility_opt_asan.pcap mobility_opt_asan.out -v
+mobility_opt_asan_2 mobility_opt_asan_2.pcap mobility_opt_asan_2.out -v
# RTP tests
# fuzzed pcap
diff --git a/tests/mobility_opt_asan_2.out b/tests/mobility_opt_asan_2.out
new file mode 100644
index 0000000..403926e
--- /dev/null
+++ b/tests/mobility_opt_asan_2.out
@@ -0,0 +1 @@
+IP6 (class 0x50, flowlabel 0x0002c, hlim 0, next-header Mobile IP (old) (62) payload length: 7168) ff:7f0f:40:0:ee00:0:b658:5203 > 205:20:1:b00:0:2200:af01:e000: mobility: BRR(type-0x06: len=0)[|MOBILITY]
diff --git a/tests/mobility_opt_asan_2.pcap b/tests/mobility_opt_asan_2.pcap
new file mode 100644
index 0000000..7fadc58
--- /dev/null
+++ b/tests/mobility_opt_asan_2.pcap
Binary files differ
