Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
Please login to access the resource
openSUSE:Leap:15.2:Staging:A
tcpdump
tcpdump-CVE-2018-14466.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File tcpdump-CVE-2018-14466.patch of Package tcpdump
From c24922e692a52121e853a84ead6b9337f4c08a94 Mon Sep 17 00:00:00 2001 From: Denis Ovsienko <denis@ovsienko.info> Date: Tue, 19 Sep 2017 13:33:55 +0100 Subject: [PATCH] (for 4.9.3) CVE-2018-14466/Rx: fix an over-read bug In rx_cache_insert() and rx_cache_find() properly read the serviceId field of the rx_header structure as a 16-bit integer. When those functions tried to read 32 bits the extra 16 bits could be outside of the bounds checked in rx_print() for the rx_header structure, as serviceId is the last field in that structure. This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s). --- print-rx.c | 4 ++-- tests/TESTLIST | 1 + tests/rx_serviceid_oobr.out | 3 +++ tests/rx_serviceid_oobr.pcap | Bin 0 -> 2759 bytes 4 files changed, 6 insertions(+), 2 deletions(-) create mode 100644 tests/rx_serviceid_oobr.out create mode 100644 tests/rx_serviceid_oobr.pcap diff --git a/print-rx.c b/print-rx.c index 0d3cd3759..bf2af0cb7 100644 --- a/print-rx.c +++ b/print-rx.c @@ -694,7 +694,7 @@ rx_cache_insert(netdissect_options *ndo, UNALIGNED_MEMCPY(&rxent->client, &ip->ip_src, sizeof(uint32_t)); UNALIGNED_MEMCPY(&rxent->server, &ip->ip_dst, sizeof(uint32_t)); rxent->dport = dport; - rxent->serviceId = EXTRACT_32BITS(&rxh->serviceId); + rxent->serviceId = EXTRACT_16BITS(&rxh->serviceId); rxent->opcode = EXTRACT_32BITS(bp + sizeof(struct rx_header)); } @@ -725,7 +725,7 @@ rx_cache_find(const struct rx_header *rxh, const struct ip *ip, int sport, if (rxent->callnum == EXTRACT_32BITS(&rxh->callNumber) && rxent->client.s_addr == clip && rxent->server.s_addr == sip && - rxent->serviceId == EXTRACT_32BITS(&rxh->serviceId) && + rxent->serviceId == EXTRACT_16BITS(&rxh->serviceId) && rxent->dport == sport) { /* We got a match! */
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor