File libpcap-CVE-2019-15165.patch of Package libpcap

Overview Repositories Revisions Requests Users Attributes Meta

File libpcap-CVE-2019-15165.patch of Package libpcap

From 87d6bef033062f969e70fa40c43dfd945d5a20ab Mon Sep 17 00:00:00 2001
From: Michael Richardson <mcr@sandelman.ca>
Date: Fri, 20 Sep 2019 11:02:00 -0400
Subject: [PATCH] do sanity checks on PHB header length before allocating
 memory. There was no fault; but doing the check results in a more consistent
 error

---
 sf-pcapng.c | 26 ++++++++++----------------
 1 file changed, 10 insertions(+), 16 deletions(-)

Index: libpcap-1.8.1/sf-pcap-ng.c
===================================================================
--- libpcap-1.8.1.orig/sf-pcap-ng.c
+++ libpcap-1.8.1/sf-pcap-ng.c
@@ -102,7 +102,7 @@ struct option_header {
  * Section Header Block.
  */
 #define BT_SHB			0x0A0D0D0A
-
+#define BT_SHB_INSANE_MAX       1024U*1024U*1U  /* 1MB should be enough */
 struct section_header_block {
 	bpf_u_int32	byte_order_magic;
 	u_short		major_version;
@@ -247,7 +247,7 @@ read_bytes(FILE *fp, void *buf, size_t b
 			if (amt_read == 0 && !fail_on_eof)
 				return (0);	/* EOF */
 			pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
-			    "truncated dump file; tried to read %lu bytes, only got %lu",
+			    "truncated pcapng dump file; tried to read %zu bytes, only got %zu",
 			    (unsigned long)bytes_to_read,
 			    (unsigned long)amt_read);
 		}
@@ -798,11 +798,13 @@ pcap_ng_check_header(bpf_u_int32 magic,
 	/*
 	 * Check the sanity of the total length.
 	 */
-	if (total_length < sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer)) {
+	if (total_length < sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer) ||
+            (total_length > BT_SHB_INSANE_MAX)) {
 		pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
-		    "Section Header Block in pcap-ng dump file has a length of %u < %lu",
-		    total_length,
-		    (unsigned long)(sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer)));
+		    "Section Header Block in pcapng dump file has invalid length %zu < _%u_ < %u (BT_SHB_INSANE_MAX)",
+		    sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer),
+                    total_length,
+                    BT_SHB_INSANE_MAX);
 		*err = 1;
 		return (NULL);
 	}

Places

File libpcap-CVE-2019-15165.patch of Package libpcap

Places