File tcpdump-CVE-2018-16227.patch of Package tcpdump.22839

Overview Repositories Revisions Requests Users Attributes Meta

File tcpdump-CVE-2018-16227.patch of Package tcpdump.22839

From 4846b3c5d0a850e860baf4f07340495d29837d09 Mon Sep 17 00:00:00 2001
From: Denis Ovsienko <denis@ovsienko.info>
Date: Wed, 29 Aug 2018 00:38:40 +0100
Subject: [PATCH] (for 4.9.3) CVE-2018-16227/IEEE 802.11: add a missing bounds
 check

ieee802_11_print() tried to access the Mesh Flags subfield of the Mesh
Control field to find the size of the latter and increment the expected
802.11 header length before checking it is fully present in the input
buffer. Add an intermediate bounds check to make it safe.

This fixes a buffer over-read discovered by Ryan Ackroyd.

Add a test using the capture file supplied by the reporter(s).
---
 print-802_11.c                     |   4 ++++
 tests/TESTLIST                     |   3 +++
 tests/ieee802.11_meshhdr-oobr.out  |   1 +
 tests/ieee802.11_meshhdr-oobr.pcap | Bin 0 -> 867 bytes
 4 files changed, 8 insertions(+)
 create mode 100644 tests/ieee802.11_meshhdr-oobr.out
 create mode 100644 tests/ieee802.11_meshhdr-oobr.pcap

diff --git a/print-802_11.c b/print-802_11.c
index 7c65941ae..50a3e9f59 100644
--- a/print-802_11.c
+++ b/print-802_11.c
@@ -2058,6 +2058,10 @@ ieee802_11_print(netdissect_options *ndo,
 		hdrlen = roundup2(hdrlen, 4);
 	if (ndo->ndo_Hflag && FC_TYPE(fc) == T_DATA &&
 	    DATA_FRAME_IS_QOS(FC_SUBTYPE(fc))) {
+		if (caplen < hdrlen + 1) {
+			ND_PRINT((ndo, "%s", tstr));
+			return hdrlen;
+		}
 		meshdrlen = extract_mesh_header_length(p+hdrlen);
 		hdrlen += meshdrlen;
 	} else

Places

File tcpdump-CVE-2018-16227.patch of Package tcpdump.22839

Places