Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP1:GA
tcpdump
tcpdump-CVE-2018-16230.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File tcpdump-CVE-2018-16230.patch of Package tcpdump
From 13d52e9c0e7caf7e6325b0051bc90a49968be67f Mon Sep 17 00:00:00 2001 From: Denis Ovsienko <denis@ovsienko.info> Date: Thu, 23 Aug 2018 22:09:16 +0100 Subject: [PATCH] (for 4.9.3) CVE-2018-16230/BGP: fix decoding of MP_REACH_NLRI When bgp_attr_print() tried to decode the variable-length nexthop value for the NSAP VPN case, it did not check that the declared length is good to interpret the value as a mapped IPv4 or IPv6 address. Add missing checks to make this safe. This fixes a buffer over-read discovered by Include Security working under the Mozilla SOS program in 2018 by means of code audit. Bhargava Shastry, SecT/TU Berlin, had independently identified this vulnerability by means of fuzzing and provided the packet capture file for the test. --- print-bgp.c | 6 +- tests/TESTLIST | 1 + tests/bgp_mp_reach_nlri-oobr.out | 277 ++++++++++++++++++++++++++++++ tests/bgp_mp_reach_nlri-oobr.pcap | Bin 0 -> 2789 bytes 4 files changed, 282 insertions(+), 2 deletions(-) create mode 100644 tests/bgp_mp_reach_nlri-oobr.out create mode 100644 tests/bgp_mp_reach_nlri-oobr.pcap diff --git a/print-bgp.c b/print-bgp.c index b02827ed2..e9b4c2bd9 100644 --- a/print-bgp.c +++ b/print-bgp.c @@ -1700,10 +1700,12 @@ bgp_attr_print(netdissect_options *ndo, bgp_vpn_rd_print(ndo, tptr), isonsap_string(ndo, tptr+BGP_VPN_RD_LEN,tlen-BGP_VPN_RD_LEN))); /* rfc986 mapped IPv4 address ? */ - if (EXTRACT_32BITS(tptr+BGP_VPN_RD_LEN) == 0x47000601) + if (tlen == BGP_VPN_RD_LEN + 4 + sizeof(struct in_addr) + && EXTRACT_32BITS(tptr+BGP_VPN_RD_LEN) == 0x47000601) ND_PRINT((ndo, " = %s", ipaddr_string(ndo, tptr+BGP_VPN_RD_LEN+4))); /* rfc1888 mapped IPv6 address ? */ - else if (EXTRACT_24BITS(tptr+BGP_VPN_RD_LEN) == 0x350000) + else if (tlen == BGP_VPN_RD_LEN + 3 + sizeof(struct in6_addr) + && EXTRACT_24BITS(tptr+BGP_VPN_RD_LEN) == 0x350000) ND_PRINT((ndo, " = %s", ip6addr_string(ndo, tptr+BGP_VPN_RD_LEN+3))); tptr += tlen; tlen = 0;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor