Bug#342911: CVE-2005-3651: Buffer overflow in OSPF dissector

[Martin Schulze]

Moritz Muehlenhoff wrote:
> Package: ethereal
> Version: 0.10.13-1
> Severity: important
> Tags: security
> Justification: user security hole
> 
> Another security problem has been discovered in Ethereal. This time it's
> a buffer overflow in the OSPF dissector. Please see 
> http://www.idefense.com/application/poi/display?id=349&type=vulnerabilities
> for details. This has been assigned CVE-2005-3651.

Frederic, attached is the patch we're using for the update in sarge,
basically the function body is exchanged (variable names adjusted and
struct adjusted).

Sorry, looks like I postponed this mail too long.

Regards,

        Joey

-- 
This is GNU/Linux Country.  On a quiet night, you can hear Windows reboot.

Please always Cc to me when replying to me on the lists.

diff -u ethereal-0.10.10/debian/changelog ethereal-0.10.10/debian/changelog
--- ethereal-0.10.10/debian/changelog
+++ ethereal-0.10.10/debian/changelog
@@ -1,3 +1,12 @@
+ethereal (0.10.10-2sarge4) stable-security; urgency=high
+
+  * Non-maintainer upload by the Security Team
+  * Backported new upstream version of dissect_ospf_v3_address_prefix() to
+    fix buffer overflow and potential arbitrary code execution
+    [epan/dissectors/packet-ospf.c, CVE-2005-3651]
+
+ -- Martin Schulze <[EMAIL PROTECTED]>  Sat, 10 Dec 2005 15:03:54 +0100
+
 ethereal (0.10.10-2sarge3) stable-security; urgency=high
 
   * Security fixes for sarge:
only in patch2:
unchanged:
--- ethereal-0.10.10.orig/epan/dissectors/packet-ospf.c
+++ ethereal-0.10.10/epan/dissectors/packet-ospf.c
@@ -46,6 +46,7 @@
 #include <epan/packet.h>
 #include <epan/ipproto.h>
 #include <epan/in_cksum.h>
+#include <epan/ipv6-utils.h>
 #include "packet-rsvp.h"
 
 #define OSPF_VERSION_2 2
@@ -2320,37 +2321,28 @@
 static void dissect_ospf_v3_address_prefix(tvbuff_t *tvb, int offset, int 
prefix_length, proto_tree *tree)
 {
 
-    guint8 value;
-    guint8 position;
-    guint8 bufpos;
-    gchar  buffer[32+7];
-    gchar  bytebuf[3];
-    guint8 bytes_to_process;
-    int start_offset;
+    int bytes_to_process;
+    struct e_in6_addr prefix;
 
-    start_offset=offset;
-    position=0;
-    bufpos=0;
     bytes_to_process=((prefix_length+31)/32)*4;
 
-    while (bytes_to_process > 0 ) {
-
-        value=tvb_get_guint8(tvb, offset);
-
-        if ( (position > 0) && ( (position%2) == 0 ) )
-           buffer[bufpos++]=':';
-
-        sprintf(bytebuf,"%02x",value);
-        buffer[bufpos++]=bytebuf[0];
-        buffer[bufpos++]=bytebuf[1];
-
-       position++;
-       offset++;
-        bytes_to_process--;
+    if (prefix_length > 128) {
+        proto_tree_add_text(tree, tvb, offset, bytes_to_process,
+            "Address Prefix: length is invalid (%d, should be <= 128)",
+            prefix_length);
+        return;
     }
 
-    buffer[bufpos]=0;
-    proto_tree_add_text(tree, tvb, start_offset, ((prefix_length+31)/32)*4, 
"Address Prefix: %s",buffer);
+    memset(prefix.u6_addr.u6_addr8, 0, sizeof prefix.u6_addr.u6_addr8);
+    if (bytes_to_process != 0) {
+        tvb_memcpy(tvb, prefix.u6_addr.u6_addr8, offset, bytes_to_process);
+        if (prefix_length % 8) {
+            prefix.u6_addr.u6_addr8[bytes_to_process - 1] &=
+                ((0xff00 >> (prefix_length % 8)) & 0xff);
+        }
+    }
+    proto_tree_add_text(tree, tvb, offset, bytes_to_process,
+        "Address Prefix: %s", ip6_to_str(&prefix));
 
 }