Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP1:GA
tcpdump.17077
tcpdump-CVE-2018-14468.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File tcpdump-CVE-2018-14468.patch of Package tcpdump.17077
From aa3e54f594385ce7e1e319b0c84999e51192578b Mon Sep 17 00:00:00 2001 From: Denis Ovsienko <denis@ovsienko.info> Date: Fri, 1 Sep 2017 17:55:39 +0100 Subject: [PATCH] (for 4.9.3) CVE-2018-14468/FRF.16: Add a missing length check. The specification says in a well-formed Magic Number information element the data is exactly 4 bytes long. In mfr_print() check this before trying to read those 4 bytes. This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s). --- print-fr.c | 5 +++++ tests/TESTLIST | 1 + tests/frf16_magic_ie-oobr.out | 2 ++ tests/frf16_magic_ie-oobr.pcap | Bin 0 -> 124 bytes 4 files changed, 8 insertions(+) create mode 100644 tests/frf16_magic_ie-oobr.out create mode 100644 tests/frf16_magic_ie-oobr.pcap Index: tcpdump-4.9.2/print-fr.c =================================================================== --- tcpdump-4.9.2.orig/print-fr.c +++ tcpdump-4.9.2/print-fr.c @@ -493,6 +493,11 @@ mfr_print(netdissect_options *ndo, switch (ie_type) { case MFR_CTRL_IE_MAGIC_NUM: + /* FRF.16.1 Section 3.4.3 Magic Number Information Element */ + if (ie_len != 4) { + ND_PRINT((ndo, "(invalid length)")); + break; + } ND_PRINT((ndo, "0x%08x", EXTRACT_32BITS(tptr))); break;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor