File tcpdump-CVE-2018-14468.patch of Package tcpdump.22839

Overview Repositories Revisions Requests Users Attributes Meta

File tcpdump-CVE-2018-14468.patch of Package tcpdump.22839

From aa3e54f594385ce7e1e319b0c84999e51192578b Mon Sep 17 00:00:00 2001
From: Denis Ovsienko <denis@ovsienko.info>
Date: Fri, 1 Sep 2017 17:55:39 +0100
Subject: [PATCH] (for 4.9.3) CVE-2018-14468/FRF.16: Add a missing length
 check.

The specification says in a well-formed Magic Number information element
the data is exactly 4 bytes long. In mfr_print() check this before trying
to read those 4 bytes.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s).
---
 print-fr.c                     |   5 +++++
 tests/TESTLIST                 |   1 +
 tests/frf16_magic_ie-oobr.out  |   2 ++
 tests/frf16_magic_ie-oobr.pcap | Bin 0 -> 124 bytes
 4 files changed, 8 insertions(+)
 create mode 100644 tests/frf16_magic_ie-oobr.out
 create mode 100644 tests/frf16_magic_ie-oobr.pcap

Index: tcpdump-4.9.2/print-fr.c
===================================================================
--- tcpdump-4.9.2.orig/print-fr.c
+++ tcpdump-4.9.2/print-fr.c
@@ -493,6 +493,11 @@ mfr_print(netdissect_options *ndo,
             switch (ie_type) {
 
             case MFR_CTRL_IE_MAGIC_NUM:
+                /* FRF.16.1 Section 3.4.3 Magic Number Information Element */
+                if (ie_len != 4) {
+                    ND_PRINT((ndo, "(invalid length)"));
+                    break;
+                }
                 ND_PRINT((ndo, "0x%08x", EXTRACT_32BITS(tptr)));
                 break;

Places

File tcpdump-CVE-2018-14468.patch of Package tcpdump.22839

Places