File tcpdump-CVE-2014-8768.patch of Package tcpdump

Overview Repositories Revisions Requests Users Attributes Meta

File tcpdump-CVE-2014-8768.patch of Package tcpdump

From 9255c9b05b0a04b8d89739b3efcb9f393a617fe9 Mon Sep 17 00:00:00 2001
From: Guy Harris <guy@alum.mit.edu>
Date: Tue, 11 Nov 2014 15:51:54 -0800
Subject: [PATCH 1/3] Do bounds checking and length checking.

Don't run past the end of the captured data, and don't run past the end
of the packet (i.e., don't make the length variable go negative).
---
 print-geonet.c | 270 ++++++++++++++++++++++++++++++++-------------------------
 1 file changed, 151 insertions(+), 119 deletions(-)

Index: tcpdump-4.5.1/print-geonet.c
===================================================================
--- tcpdump-4.5.1.orig/print-geonet.c	2014-12-01 13:48:31.711805911 +0100
+++ tcpdump-4.5.1/print-geonet.c	2014-12-01 15:43:08.765196102 +0100
@@ -62,10 +62,6 @@ print_btp_body(const u_char *bp, u_int l
 	int msg_type;
 	const char *msg_type_str;
 
-	if (length <= 2) {
-		return;
-	}
-
 	/* Assuming ItsDpuHeader */
 	version = bp[0];
 	msg_type = bp[1];
@@ -82,8 +78,8 @@ print_btp(const u_char *bp)
 	printf("; BTP Dst:%u Src:%u", dest, src);
 }
 
-static void
-print_long_pos_vector(const u_char *bp)
+static int
+print_long_pos_vector(netdissect_options *ndo, const u_char *bp)
 {
 	int i;
 	u_int32_t lat, lon;
@@ -95,10 +91,14 @@ print_long_pos_vector(const u_char *bp)
 	}
 	printf(" ");
 
+	if (!ND_TTEST2(*(bp+12), 8))
+		return (-1);
+
 	lat = EXTRACT_32BITS(bp+12);
 	printf("lat:%d ", lat);
 	lon = EXTRACT_32BITS(bp+16);
 	printf("lon:%d", lon);
+	return (0);
 }
 
 
@@ -109,26 +109,36 @@ print_long_pos_vector(const u_char *bp)
 void
 geonet_print(netdissect_options *ndo, const u_char *eth, const u_char *bp, u_int length)
 {
+	int version;
+	int next_hdr;
+	int hdr_type;
+	int hdr_subtype;
+	uint16_t payload_length;
+	int hop_limit;
+	const char *next_hdr_txt = "Unknown";
+	const char *hdr_type_txt = "Unknown";
+	int hdr_size = -1;
+
 	printf("GeoNet src:%s; ", etheraddr_string(eth+6));
 
-	if (length >= 36) {
-		/* Process Common Header */
-		int version = bp[0] >> 4;
-		int next_hdr = bp[0] & 0x0f;
-		int hdr_type = bp[1] >> 4;
-		int hdr_subtype = bp[1] & 0x0f;
-		u_int16_t payload_length = EXTRACT_16BITS(bp+4);
-		int hop_limit = bp[7];
-		const char *next_hdr_txt = "Unknown";
-		const char *hdr_type_txt = "Unknown";
-		int hdr_size = -1;
-
-		switch (next_hdr) {
-			case 0: next_hdr_txt = "Any"; break;
-			case 1: next_hdr_txt = "BTP-A"; break;
-			case 2: next_hdr_txt = "BTP-B"; break;
-			case 3: next_hdr_txt = "IPv6"; break;
-		}
+	/* Process Common Header */
+	if (length < 36)
+		goto malformed;
+
+	ND_TCHECK2(*bp, 7);
+	version = bp[0] >> 4;
+	next_hdr = bp[0] & 0x0f;
+	hdr_type = bp[1] >> 4;
+	hdr_subtype = bp[1] & 0x0f;
+	payload_length = EXTRACT_16BITS(bp+4);
+	hop_limit = bp[7];
+
+	switch (next_hdr) {
+		case 0: next_hdr_txt = "Any"; break;
+		case 1: next_hdr_txt = "BTP-A"; break;
+		case 2: next_hdr_txt = "BTP-B"; break;
+		case 3: next_hdr_txt = "IPv6"; break;
+	}
 
 		switch (hdr_type) {
 			case 0: hdr_type_txt = "Any"; break;
@@ -163,7 +173,8 @@ geonet_print(netdissect_options *ndo, co
 		printf("HT:%d-%d-%s ", hdr_type, hdr_subtype, hdr_type_txt);
 		printf("HopLim:%d ", hop_limit);
 		printf("Payload:%d ", payload_length);
-        	print_long_pos_vector(bp + 8);
+	if (print_long_pos_vector(ndo, bp + 8) == -1)
+		goto trunc;
 
 		/* Skip Common Header */
 		length -= 36;
@@ -217,6 +228,9 @@ geonet_print(netdissect_options *ndo, co
 
 		/* Skip Extended headers */
 		if (hdr_size >= 0) {
+			if (length < (u_int)hdr_size)
+				goto malformed;
+			ND_TCHECK2(*bp, hdr_size);
 			length -= hdr_size;
 			bp += hdr_size;
 			switch (next_hdr) {
@@ -224,22 +238,41 @@ geonet_print(netdissect_options *ndo, co
 					break;
 				case 1:
 				case 2: /* BTP A/B */
+					if (length < 4)
+						goto malformed;
+					ND_TCHECK2(*bp, 4);
 					print_btp(bp);
 					length -= 4;
 					bp += 4;
-					print_btp_body(bp, length);
+					if (length >= 2) {
+						/*
+						 * XXX - did print_btp_body()
+						 * return if length < 2
+						 * because this is optional,
+						 * or was that just not
+						 * reporting genuine errors?
+						 */
+						ND_TCHECK2(*bp, 2);
+						print_btp_body(bp, length);
+					}
 					break;
 				case 3: /* IPv6 */
 					break;
 			}
 		}
-	} else {
-		printf("Malformed (small) ");
-	}
 
 	/* Print user data part */
 	if (ndo->ndo_vflag)
 		default_print(bp, length);
+	return;
+
+malformed:
+	ND_PRINT((ndo, " Malformed (small) "));
+	/* XXX - print the remaining data as hex? */
+	return;
+
+trunc:
+	ND_PRINT((ndo, "[|geonet]"));
 }

Places

File tcpdump-CVE-2014-8768.patch of Package tcpdump

Places