Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:15.5:Update
tcpdump.17077
tcpdump-CVE-2018-14464.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File tcpdump-CVE-2018-14464.patch of Package tcpdump.17077
From d97e94223720684c6aa740ff219e0d19426c2220 Mon Sep 17 00:00:00 2001 From: Francois-Xavier Le Bail <devel.fx.lebail@orange.fr> Date: Tue, 17 Oct 2017 21:56:46 +0200 Subject: [PATCH] (for 4.9.3) CVE-2018-14464/LMP: Add a missing bounds check In lmp_print_data_link_subobjs(). This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s). --- print-lmp.c | 20 ++++++++++++---- tests/TESTLIST | 1 + .../lmp-lmp_print_data_link_subobjs-oobr.out | 22 ++++++++++++++++++ .../lmp-lmp_print_data_link_subobjs-oobr.pcap | Bin 0 -> 11547 bytes 4 files changed, 39 insertions(+), 4 deletions(-) create mode 100644 tests/lmp-lmp_print_data_link_subobjs-oobr.out create mode 100644 tests/lmp-lmp_print_data_link_subobjs-oobr.pcap Index: tcpdump-4.9.2/print-lmp.c =================================================================== --- tcpdump-4.9.2.orig/print-lmp.c +++ tcpdump-4.9.2/print-lmp.c @@ -399,6 +399,7 @@ lmp_print_data_link_subobjs(netdissect_o "Unknown", EXTRACT_8BITS(obj_tptr+offset+3)), EXTRACT_8BITS(obj_tptr+offset+3))); + ND_TCHECK_32BITS(obj_tptr + offset + 4); bw.i = EXTRACT_32BITS(obj_tptr+offset+4); ND_PRINT((ndo, "\n\t Min Reservable Bandwidth: %.3f Mbps", bw.f*8/1000000)); @@ -419,6 +420,8 @@ lmp_print_data_link_subobjs(netdissect_o offset+=subobj_len; } return (hexdump); +trunc: + return -1; } void @@ -429,7 +432,7 @@ lmp_print(netdissect_options *ndo, const struct lmp_object_header *lmp_obj_header; const u_char *tptr,*obj_tptr; u_int tlen,lmp_obj_len,lmp_obj_ctype,obj_tlen; - int hexdump; + int hexdump, ret; u_int offset; u_int link_type; @@ -731,7 +734,10 @@ lmp_print(netdissect_options *ndo, ipaddr_string(ndo, obj_tptr+8), EXTRACT_32BITS(obj_tptr+8))); - if (lmp_print_data_link_subobjs(ndo, obj_tptr, obj_tlen - 12, 12)) + ret = lmp_print_data_link_subobjs(ndo, obj_tptr, obj_tlen - 12, 12); + if (ret == -1) + goto trunc; + if (ret == TRUE) hexdump=TRUE; break; @@ -751,7 +757,10 @@ lmp_print(netdissect_options *ndo, ip6addr_string(ndo, obj_tptr+20), EXTRACT_32BITS(obj_tptr+20))); - if (lmp_print_data_link_subobjs(ndo, obj_tptr, obj_tlen - 36, 36)) + ret = lmp_print_data_link_subobjs(ndo, obj_tptr, obj_tlen - 36, 36); + if (ret == -1) + goto trunc; + if (ret == TRUE) hexdump=TRUE; break; @@ -771,7 +780,10 @@ lmp_print(netdissect_options *ndo, EXTRACT_32BITS(obj_tptr+8), EXTRACT_32BITS(obj_tptr+8))); - if (lmp_print_data_link_subobjs(ndo, obj_tptr, obj_tlen - 12, 12)) + ret = lmp_print_data_link_subobjs(ndo, obj_tptr, obj_tlen - 12, 12); + if (ret == -1) + goto trunc; + if (ret == TRUE) hexdump=TRUE; break;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor