Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:Alexander_Naumov:SLE-12:Update
tcpdump.17078
tcpdump-CVE-2018-14461.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File tcpdump-CVE-2018-14461.patch of Package tcpdump.17078
From aa5c6b710dfd8020d2c908d6b3bd41f1da719b3b Mon Sep 17 00:00:00 2001 From: Francois-Xavier Le Bail <devel.fx.lebail@orange.fr> Date: Sun, 8 Oct 2017 11:49:24 +0200 Subject: [PATCH] (for 4.9.3) CVE-2018-14461/LDP: Fix a bounds check In ldp_tlv_print(), the FT Session TLV length must be 12, not 8 (RFC3479) This fixes a buffer over-read discovered by Konrad Rieck and Bhargava Shastry. Add a test using the capture file supplied by the reporter(s). Moreover: Add and use tstr[]. Add a comment. --- print-ldp.c | 9 ++++++--- tests/TESTLIST | 1 + tests/ldp-ldp_tlv_print-oobr.out | 6 ++++++ tests/ldp-ldp_tlv_print-oobr.pcap | Bin 0 -> 395 bytes 4 files changed, 13 insertions(+), 3 deletions(-) create mode 100644 tests/ldp-ldp_tlv_print-oobr.out create mode 100644 tests/ldp-ldp_tlv_print-oobr.pcap diff --git a/print-ldp.c b/print-ldp.c index 1bb27fe41..afd943d0a 100644 --- a/print-ldp.c +++ b/print-ldp.c @@ -29,6 +29,8 @@ #include "l2vpn.h" #include "af.h" +static const char tstr[] = " [|LDP]"; + /* * ldp common header * @@ -486,7 +488,7 @@ ldp_tlv_print(netdissect_options *ndo, break; case LDP_TLV_FT_SESSION: - TLV_TCHECK(8); + TLV_TCHECK(12); ft_flags = EXTRACT_16BITS(tptr); ND_PRINT((ndo, "\n\t Flags: [%sReconnect, %sSave State, %sAll-Label Protection, %s Checkpoint, %sRe-Learn State]", ft_flags&0x8000 ? "" : "No ", @@ -494,6 +496,7 @@ ldp_tlv_print(netdissect_options *ndo, ft_flags&0x4 ? "" : "No ", ft_flags&0x2 ? "Sequence Numbered Label" : "All Labels", ft_flags&0x1 ? "" : "Don't ")); + /* 16 bits (FT Flags) + 16 bits (Reserved) */ tptr+=4; ui = EXTRACT_32BITS(tptr); if (ui) @@ -534,7 +537,7 @@ ldp_tlv_print(netdissect_options *ndo, return(tlv_len+4); /* Type & Length fields not included */ trunc: - ND_PRINT((ndo, "\n\t\t packet exceeded snapshot")); + ND_PRINT((ndo, "%s", tstr)); return 0; badtlv: @@ -692,7 +695,7 @@ ldp_pdu_print(netdissect_options *ndo, } return pdu_len+4; trunc: - ND_PRINT((ndo, "\n\t\t packet exceeded snapshot")); + ND_PRINT((ndo, "%s", tstr)); return 0; }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor