File tcpdump-CVE-2018-16230.patch of Package tcpdump.19046
From 13d52e9c0e7caf7e6325b0051bc90a49968be67f Mon Sep 17 00:00:00 2001
From: Denis Ovsienko <denis@ovsienko.info>
Date: Thu, 23 Aug 2018 22:09:16 +0100
Subject: [PATCH] (for 4.9.3) CVE-2018-16230/BGP: fix decoding of MP_REACH_NLRI
When bgp_attr_print() tried to decode the variable-length nexthop value
for the NSAP VPN case, it did not check that the declared length is good
to interpret the value as a mapped IPv4 or IPv6 address. Add missing
checks to make this safe.
This fixes a buffer over-read discovered by Include Security working
under the Mozilla SOS program in 2018 by means of code audit.
Bhargava Shastry, SecT/TU Berlin, had independently identified this
vulnerability by means of fuzzing and provided the packet capture file
for the test.
---
print-bgp.c | 6 +-
tests/TESTLIST | 1 +
tests/bgp_mp_reach_nlri-oobr.out | 277 ++++++++++++++++++++++++++++++
tests/bgp_mp_reach_nlri-oobr.pcap | Bin 0 -> 2789 bytes
4 files changed, 282 insertions(+), 2 deletions(-)
create mode 100644 tests/bgp_mp_reach_nlri-oobr.out
create mode 100644 tests/bgp_mp_reach_nlri-oobr.pcap
diff --git a/print-bgp.c b/print-bgp.c
index b02827ed2..e9b4c2bd9 100644
--- a/print-bgp.c
+++ b/print-bgp.c
@@ -1700,10 +1700,12 @@ bgp_attr_print(netdissect_options *ndo,
bgp_vpn_rd_print(ndo, tptr),
isonsap_string(ndo, tptr+BGP_VPN_RD_LEN,tlen-BGP_VPN_RD_LEN)));
/* rfc986 mapped IPv4 address ? */
- if (EXTRACT_32BITS(tptr+BGP_VPN_RD_LEN) == 0x47000601)
+ if (tlen == BGP_VPN_RD_LEN + 4 + sizeof(struct in_addr)
+ && EXTRACT_32BITS(tptr+BGP_VPN_RD_LEN) == 0x47000601)
ND_PRINT((ndo, " = %s", ipaddr_string(ndo, tptr+BGP_VPN_RD_LEN+4)));
/* rfc1888 mapped IPv6 address ? */
- else if (EXTRACT_24BITS(tptr+BGP_VPN_RD_LEN) == 0x350000)
+ else if (tlen == BGP_VPN_RD_LEN + 3 + sizeof(struct in6_addr)
+ && EXTRACT_24BITS(tptr+BGP_VPN_RD_LEN) == 0x350000)
ND_PRINT((ndo, " = %s", ip6addr_string(ndo, tptr+BGP_VPN_RD_LEN+3)));
tptr += tlen;
tlen = 0;
