| From c45443a0d3e16b92622bea6b589e5930e8f0d815 Mon Sep 17 00:00:00 2001 |
| From: Peiran Hong <peiran.hong@windriver.com> |
| Date: Fri, 13 Sep 2019 17:02:57 -0400 |
| Subject: [PATCH] CVE-2017-16808/AoE: Add a missing bounds check. |
| |
| --- |
| netdissect.h | 12 ++++++++++++ |
| print-aoe.c | 1 + |
| 2 files changed, 13 insertions(+) |
| |
| diff --git a/netdissect.h b/netdissect.h |
| index 089b0406..cd05fdb9 100644 |
| --- a/netdissect.h |
| +++ b/netdissect.h |
| @@ -69,6 +69,11 @@ typedef struct { |
| typedef unsigned char nd_uint8_t; |
| typedef signed char nd_int8_t; |
| |
| +/* |
| + * Use this for MAC addresses. |
| + */ |
| +#define MAC_ADDR_LEN 6 /* length of MAC addresses */ |
| + |
| /* snprintf et al */ |
| |
| #include <stdarg.h> |
| @@ -309,12 +314,19 @@ struct netdissect_options { |
| ((uintptr_t)ndo->ndo_snapend - (l) <= (uintptr_t)ndo->ndo_snapend && \ |
| (uintptr_t)&(var) <= (uintptr_t)ndo->ndo_snapend - (l))) |
| |
| +#define ND_TTEST_LEN(p, l) \ |
| + (IS_NOT_NEGATIVE(l) && \ |
| + ((uintptr_t)ndo->ndo_snapend - (l) <= (uintptr_t)ndo->ndo_snapend && \ |
| + (uintptr_t)(p) <= (uintptr_t)ndo->ndo_snapend - (l))) |
| + |
| /* True if "var" was captured */ |
| #define ND_TTEST(var) ND_TTEST2(var, sizeof(var)) |
| |
| /* Bail if "l" bytes of "var" were not captured */ |
| #define ND_TCHECK2(var, l) if (!ND_TTEST2(var, l)) goto trunc |
| |
| +#define ND_TCHECK_LEN(p, l) if (!ND_TTEST_LEN(p, l)) goto trunc |
| + |
| /* Bail if "var" was not captured */ |
| #define ND_TCHECK(var) ND_TCHECK2(var, sizeof(var)) |
| |
| diff --git a/print-aoe.c b/print-aoe.c |
| index 97e93df2..ac097a04 100644 |
| --- a/print-aoe.c |
| +++ b/print-aoe.c |
| @@ -325,6 +325,7 @@ aoev1_reserve_print(netdissect_options *ndo, |
| goto invalid; |
| /* addresses */ |
| for (i = 0; i < nmacs; i++) { |
| + ND_TCHECK_LEN(cp, MAC_ADDR_LEN); |
| ND_PRINT((ndo, "\n\tEthernet Address %u: %s", i, etheraddr_string(ndo, cp))); |
| cp += ETHER_ADDR_LEN; |
| } |
| -- |
| 2.21.0 |
| |