CVE-2017-13690/IKEv2: Fix some bounds checks.
Use a pointer of the correct type in ND_TCHECK(), or use ND_TCHECK2()
and provide the correct length.
While we're at it, remove the blank line between some checks and the
UNALIGNED_MEMCPY()s they protect.
Also, note the places where we print the entire payload.
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.
Add a test using the capture file supplied by the reporter(s).
diff --git a/print-isakmp.c b/print-isakmp.c
index fbc6c54..04374b0 100644
--- a/print-isakmp.c
+++ b/print-isakmp.c
@@ -1313,6 +1313,7 @@
UNALIGNED_MEMCPY(&e, ext, sizeof(e));
ND_PRINT((ndo," key len=%d", ntohs(e.len) - 4));
if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
+ /* Print the entire payload in hex */
ND_PRINT((ndo," "));
if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
goto trunc;
@@ -1515,6 +1516,7 @@
ND_PRINT((ndo," len=%d", item_len - 4));
ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
if (2 < ndo->ndo_vflag && 4 < item_len) {
+ /* Print the entire payload in hex */
ND_PRINT((ndo," "));
if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
goto trunc;
@@ -1547,6 +1549,7 @@
ND_PRINT((ndo," len=%d", item_len - 4));
ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
if (2 < ndo->ndo_vflag && 4 < item_len) {
+ /* Print the entire payload in hex */
ND_PRINT((ndo," "));
if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
goto trunc;
@@ -1571,6 +1574,7 @@
UNALIGNED_MEMCPY(&e, ext, sizeof(e));
ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
+ /* Print the entire payload in hex */
ND_PRINT((ndo," "));
if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
goto trunc;
@@ -1595,6 +1599,7 @@
UNALIGNED_MEMCPY(&e, ext, sizeof(e));
ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
+ /* Print the entire payload in hex */
ND_PRINT((ndo," "));
if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
goto trunc;
@@ -1850,6 +1855,7 @@
UNALIGNED_MEMCPY(&e, ext, sizeof(e));
ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
+ /* Print the entire payload in hex */
ND_PRINT((ndo," "));
if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
goto trunc;
@@ -1884,6 +1890,7 @@
ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
+ /* Print the entire payload in hex */
ND_PRINT((ndo," "));
if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
goto trunc;
@@ -2022,7 +2029,6 @@
if (prop_length < sizeof(*ext))
goto toolong;
ND_TCHECK(*ext);
-
UNALIGNED_MEMCPY(&e, ext, sizeof(e));
/*
@@ -2109,7 +2115,6 @@
if (sa_length < sizeof(*ext))
goto toolong;
ND_TCHECK(*ext);
-
UNALIGNED_MEMCPY(&e, ext, sizeof(e));
/*
@@ -2170,7 +2175,7 @@
const struct ikev2_ke *k;
k = (const struct ikev2_ke *)ext;
- ND_TCHECK(*ext);
+ ND_TCHECK(*k);
UNALIGNED_MEMCPY(&ke, ext, sizeof(ke));
ikev2_pay_print(ndo, NPSTR(tpay), ke.h.critical);
@@ -2195,12 +2200,14 @@
uint32_t phase _U_, uint32_t doi _U_,
uint32_t proto _U_, int depth _U_)
{
+ const struct ikev2_id *idp;
struct ikev2_id id;
int id_len, idtype_len, i;
unsigned int dumpascii, dumphex;
const unsigned char *typedata;
- ND_TCHECK(*ext);
+ idp = (const struct ikev2_id *)ext;
+ ND_TCHECK(*idp);
UNALIGNED_MEMCPY(&id, ext, sizeof(id));
ikev2_pay_print(ndo, NPSTR(tpay), id.h.critical);
@@ -2208,6 +2215,7 @@
ND_PRINT((ndo," len=%d", id_len - 4));
if (2 < ndo->ndo_vflag && 4 < id_len) {
+ /* Print the entire payload in hex */
ND_PRINT((ndo," "));
if (!rawprint(ndo, (const uint8_t *)(ext + 1), id_len - 4))
goto trunc;
@@ -2303,7 +2311,7 @@
const u_char *authdata = (const u_char*)ext + sizeof(a);
unsigned int len;
- ND_TCHECK(*ext);
+ ND_TCHECK2(*ext, sizeof(a));
UNALIGNED_MEMCPY(&a, ext, sizeof(a));
ikev2_pay_print(ndo, NPSTR(tpay), a.h.critical);
len = ntohs(a.h.len);
@@ -2599,6 +2607,7 @@
else ND_PRINT((ndo, "."));
}
if (2 < ndo->ndo_vflag && 4 < len) {
+ /* Print the entire payload in hex */
ND_PRINT((ndo," "));
if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
goto trunc;
@@ -2764,7 +2773,6 @@
while (np) {
ND_TCHECK(*ext);
-
UNALIGNED_MEMCPY(&e, ext, sizeof(e));
ND_TCHECK2(*ext, ntohs(e.len));
@@ -2932,7 +2940,6 @@
cp = (const u_char *)ext;
while (np) {
ND_TCHECK(*ext);
-
UNALIGNED_MEMCPY(&e, ext, sizeof(e));
ND_TCHECK2(*ext, ntohs(e.len));
diff --git a/tests/TESTLIST b/tests/TESTLIST
index 0e70972..bd6073d 100644
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -578,6 +578,7 @@
olsr-oobr-1 olsr-oobr-1.pcap olsr-oobr-1.out -v
olsr-oobr-2 olsr-oobr-2.pcap olsr-oobr-2.out -v
ikev1_id_ipv6_addr_subnet-oobr ikev1_id_ipv6_addr_subnet-oobr.pcap ikev1_id_ipv6_addr_subnet-oobr.out -v
+isakmp-various-oobr isakmp-various-oobr.pcap isakmp-various-oobr.out -v
# bad packets from Katie Holly
mlppp-oobr mlppp-oobr.pcap mlppp-oobr.out
diff --git a/tests/isakmp-various-oobr.out b/tests/isakmp-various-oobr.out
new file mode 100644
index 0000000..cf1b1e0
--- /dev/null
+++ b/tests/isakmp-various-oobr.out
@@ -0,0 +1,5 @@
+IP (tos 0xfb,CE, ttl 17, id 21263, offset 0, flags [+, DF, rsvd], proto UDP (17), length 296, bad cksum 1ff (->f67d)!)
+ 16.0.128.20.500 > 12.251.225.45.49152: isakmp 1.0 msgid 10101010: phase 2/others ? #16[]:
+ ( [|v2ke]) (len mismatch: isakmp 2130706432/ip 268)
+IP (tos 0x12,ECT(0), ttl 17, id 21263, offset 4096, flags [DF, rsvd], proto UDP (17), length 296, bad cksum 1ff (->939f)!)
+ 0.0.0.5 > 0.0.0.0: ip-proto-17
diff --git a/tests/isakmp-various-oobr.pcap b/tests/isakmp-various-oobr.pcap
new file mode 100644
index 0000000..b81d3f5
--- /dev/null
+++ b/tests/isakmp-various-oobr.pcap
Binary files differ
