File tcpdump-CVE-2018-16229.patch of Package tcpdump

Overview Repositories Revisions Requests Users Attributes Meta

File tcpdump-CVE-2018-16229.patch of Package tcpdump

From 211124b972e74f0da66bc8b16f181f78793e2f66 Mon Sep 17 00:00:00 2001
From: Francois-Xavier Le Bail <devel.fx.lebail@orange.fr>
Date: Mon, 21 May 2018 09:25:15 +0200
Subject: [PATCH] (for 4.9.3) CVE-2018-16229/DCCP: Fix printing "Timestamp" and
 "Timestamp Echo" options

Add some comments.

Moreover:
Put a function definition name at the beginning of the line.

(This change was ported from commit 6df4852 in the master branch.)

Ryan Ackroyd had independently identified this buffer over-read later by
means of fuzzing and provided the packet capture file for the test.
---
 print-dccp.c                 |  53 ++++++++++++++++++++++++++++++-----
 tests/TESTLIST               |   1 +
 tests/dccp_options-oobr.out  |  19 +++++++++++++
 tests/dccp_options-oobr.pcap | Bin 0 -> 3298 bytes
 4 files changed, 66 insertions(+), 7 deletions(-)
 create mode 100644 tests/dccp_options-oobr.out
 create mode 100644 tests/dccp_options-oobr.pcap

diff --git a/print-dccp.c b/print-dccp.c
index 6e2526427..bc3feb7c1 100644
--- a/print-dccp.c
+++ b/print-dccp.c
@@ -530,7 +530,8 @@ static const struct tok dccp_option_values[] = {
 	{ 0, NULL }
 };
 
-static int dccp_print_option(netdissect_options *ndo, const u_char *option, u_int hlen)
+static int
+dccp_print_option(netdissect_options *ndo, const u_char *option, u_int hlen)
 {
 	uint8_t optlen, i;
 
@@ -623,16 +624,54 @@ static int dccp_print_option(netdissect_options *ndo, const u_char *option, u_in
 			}
 			break;
 		case 41:
-			if (optlen == 4)
+		/*
+		 * 13.1.  Timestamp Option
+		 *
+		 *  +--------+--------+--------+--------+--------+--------+
+		 *  |00101001|00000110|          Timestamp Value          |
+		 *  +--------+--------+--------+--------+--------+--------+
+		 *   Type=41  Length=6
+		 */
+			if (optlen == 6)
 				ND_PRINT((ndo, " %u", EXTRACT_32BITS(option + 2)));
 			else
-				ND_PRINT((ndo, " optlen != 4"));
+				ND_PRINT((ndo, " [optlen != 6]"));
 			break;
 		case 42:
-			if (optlen == 4)
+		/*
+		 * 13.3.  Timestamp Echo Option
+		 *
+		 *  +--------+--------+--------+--------+--------+--------+
+		 *  |00101010|00000110|           Timestamp Echo          |
+		 *  +--------+--------+--------+--------+--------+--------+
+		 *   Type=42    Len=6
+		 *
+		 *  +--------+--------+------- ... -------+--------+--------+
+		 *  |00101010|00001000|  Timestamp Echo   |   Elapsed Time  |
+		 *  +--------+--------+------- ... -------+--------+--------+
+		 *   Type=42    Len=8       (4 bytes)
+		 *
+		 *  +--------+--------+------- ... -------+------- ... -------+
+		 *  |00101010|00001010|  Timestamp Echo   |    Elapsed Time   |
+		 *  +--------+--------+------- ... -------+------- ... -------+
+		 *   Type=42   Len=10       (4 bytes)           (4 bytes)
+		 */
+			switch (optlen) {
+			case 6:
 				ND_PRINT((ndo, " %u", EXTRACT_32BITS(option + 2)));
-			else
-				ND_PRINT((ndo, " optlen != 4"));
+				break;
+			case 8:
+				ND_PRINT((ndo, " %u", EXTRACT_32BITS(option + 2)));
+				ND_PRINT((ndo, " (elapsed time %u)", EXTRACT_16BITS(option + 6)));
+				break;
+			case 10:
+				ND_PRINT((ndo, " %u", EXTRACT_32BITS(option + 2)));
+				ND_PRINT((ndo, " (elapsed time %u)", EXTRACT_32BITS(option + 6)));
+				break;
+			default:
+				ND_PRINT((ndo, " [optlen != 6 or 8 or 10]"));
+				break;
+			}
 			break;
 		case 43:
 			if (optlen == 6)
@@ -640,7 +679,7 @@ static int dccp_print_option(netdissect_options *ndo, const u_char *option, u_in
 			else if (optlen == 4)
 				ND_PRINT((ndo, " %u", EXTRACT_16BITS(option + 2)));
 			else
-				ND_PRINT((ndo, " optlen != 4 or 6"));
+				ND_PRINT((ndo, " [optlen != 4 or 6]"));
 			break;
 		case 44:
 			if (optlen > 2) {

Places

File tcpdump-CVE-2018-16229.patch of Package tcpdump

Places