Overview

File tcpdump-CVE-2018-14464.patch of Package tcpdump.19046

From d97e94223720684c6aa740ff219e0d19426c2220 Mon Sep 17 00:00:00 2001
From: Francois-Xavier Le Bail <devel.fx.lebail@orange.fr>
Date: Tue, 17 Oct 2017 21:56:46 +0200
Subject: [PATCH] (for 4.9.3) CVE-2018-14464/LMP: Add a missing bounds check

In lmp_print_data_link_subobjs().

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s).
---
 print-lmp.c                                   |  20 ++++++++++++----
 tests/TESTLIST                                |   1 +
 .../lmp-lmp_print_data_link_subobjs-oobr.out  |  22 ++++++++++++++++++
 .../lmp-lmp_print_data_link_subobjs-oobr.pcap | Bin 0 -> 11547 bytes
 4 files changed, 39 insertions(+), 4 deletions(-)
 create mode 100644 tests/lmp-lmp_print_data_link_subobjs-oobr.out
 create mode 100644 tests/lmp-lmp_print_data_link_subobjs-oobr.pcap

Index: tcpdump-4.9.2/print-lmp.c
===================================================================
--- tcpdump-4.9.2.orig/print-lmp.c
+++ tcpdump-4.9.2/print-lmp.c
@@ -399,6 +399,7 @@ lmp_print_data_link_subobjs(netdissect_o
 			"Unknown",
 			EXTRACT_8BITS(obj_tptr+offset+3)),
 		EXTRACT_8BITS(obj_tptr+offset+3)));
+	    ND_TCHECK_32BITS(obj_tptr + offset + 4);
 	    bw.i = EXTRACT_32BITS(obj_tptr+offset+4);
 	    ND_PRINT((ndo, "\n\t      Min Reservable Bandwidth: %.3f Mbps",
                 bw.f*8/1000000));
@@ -419,6 +420,8 @@ lmp_print_data_link_subobjs(netdissect_o
 	offset+=subobj_len;
     }
     return (hexdump);
+trunc:
+    return -1;
 }
 
 void
@@ -429,7 +432,7 @@ lmp_print(netdissect_options *ndo,
     const struct lmp_object_header *lmp_obj_header;
     const u_char *tptr,*obj_tptr;
     u_int tlen,lmp_obj_len,lmp_obj_ctype,obj_tlen;
-    int hexdump;
+    int hexdump, ret;
     u_int offset;
     u_int link_type;
 
@@ -731,7 +734,10 @@ lmp_print(netdissect_options *ndo,
                        ipaddr_string(ndo, obj_tptr+8),
                        EXTRACT_32BITS(obj_tptr+8)));
 
-		if (lmp_print_data_link_subobjs(ndo, obj_tptr, obj_tlen - 12, 12))
+		ret = lmp_print_data_link_subobjs(ndo, obj_tptr, obj_tlen - 12, 12);
+		if (ret == -1)
+		    goto trunc;
+		if (ret == TRUE)
 		    hexdump=TRUE;
 		break;
 
@@ -751,7 +757,10 @@ lmp_print(netdissect_options *ndo,
                        ip6addr_string(ndo, obj_tptr+20),
                        EXTRACT_32BITS(obj_tptr+20)));
 
-		if (lmp_print_data_link_subobjs(ndo, obj_tptr, obj_tlen - 36, 36))
+		ret = lmp_print_data_link_subobjs(ndo, obj_tptr, obj_tlen - 36, 36);
+		if (ret == -1)
+		    goto trunc;
+		if (ret == TRUE)
 		    hexdump=TRUE;
 		break;
 
@@ -771,7 +780,10 @@ lmp_print(netdissect_options *ndo,
                        EXTRACT_32BITS(obj_tptr+8),
                        EXTRACT_32BITS(obj_tptr+8)));
 
-		if (lmp_print_data_link_subobjs(ndo, obj_tptr, obj_tlen - 12, 12))
+		ret = lmp_print_data_link_subobjs(ndo, obj_tptr, obj_tlen - 12, 12);
+		if (ret == -1)
+		    goto trunc;
+		if (ret == TRUE)
 		    hexdump=TRUE;
 		break;
openSUSE Build Service is sponsored by
Places