File tcpdump-CVE-2018-14470.patch of Package tcpdump

Overview Repositories Revisions Requests Users Attributes Meta

File tcpdump-CVE-2018-14470.patch of Package tcpdump

From 12f66f69f7bf1ec1266ddbee90a7616cbf33696b Mon Sep 17 00:00:00 2001
From: Denis Ovsienko <denis@ovsienko.info>
Date: Tue, 12 Sep 2017 10:59:16 +0100
Subject: [PATCH] (for 4.9.3) CVE-2018-14470/Babel: fix an existing length
 check

In babel_print_v2() the non-verbose branch for an Update TLV compared
the TLV Length against 1 instead of 10 (probably a typo), put it right.

This fixes a buffer over-read discovered by Henri Salo from Nixu
Corporation.

Add a test using the capture file supplied by the reporter(s).
---
 print-babel.c                |   2 +-
 tests/TESTLIST               |   1 +
 tests/babel_update_oobr.out  |  66 +++++++++++++++++++++++++++++++++++
 tests/babel_update_oobr.pcap | Bin 0 -> 9888 bytes
 4 files changed, 68 insertions(+), 1 deletion(-)
 create mode 100644 tests/babel_update_oobr.out
 create mode 100644 tests/babel_update_oobr.pcap

diff --git a/print-babel.c b/print-babel.c
index f8741d7bf..1a31f2a3c 100644
--- a/print-babel.c
+++ b/print-babel.c
@@ -480,7 +480,7 @@ babel_print_v2(netdissect_options *ndo,
         case MESSAGE_UPDATE: {
             if (!ndo->ndo_vflag) {
                 ND_PRINT((ndo, " update"));
-                if(len < 1)
+                if(len < 10)
                     ND_PRINT((ndo, "/truncated"));
                 else
                     ND_PRINT((ndo, "%s%s%s",

Places

File tcpdump-CVE-2018-14470.patch of Package tcpdump

Places