File tcpdump-CVE-2018-16229.patch of Package tcpdump.19046
From 211124b972e74f0da66bc8b16f181f78793e2f66 Mon Sep 17 00:00:00 2001
From: Francois-Xavier Le Bail <devel.fx.lebail@orange.fr>
Date: Mon, 21 May 2018 09:25:15 +0200
Subject: [PATCH] (for 4.9.3) CVE-2018-16229/DCCP: Fix printing "Timestamp" and
"Timestamp Echo" options
Add some comments.
Moreover:
Put a function definition name at the beginning of the line.
(This change was ported from commit 6df4852 in the master branch.)
Ryan Ackroyd had independently identified this buffer over-read later by
means of fuzzing and provided the packet capture file for the test.
---
print-dccp.c | 53 ++++++++++++++++++++++++++++++-----
tests/TESTLIST | 1 +
tests/dccp_options-oobr.out | 19 +++++++++++++
tests/dccp_options-oobr.pcap | Bin 0 -> 3298 bytes
4 files changed, 66 insertions(+), 7 deletions(-)
create mode 100644 tests/dccp_options-oobr.out
create mode 100644 tests/dccp_options-oobr.pcap
diff --git a/print-dccp.c b/print-dccp.c
index 6e2526427..bc3feb7c1 100644
--- a/print-dccp.c
+++ b/print-dccp.c
@@ -530,7 +530,8 @@ static const struct tok dccp_option_values[] = {
{ 0, NULL }
};
-static int dccp_print_option(netdissect_options *ndo, const u_char *option, u_int hlen)
+static int
+dccp_print_option(netdissect_options *ndo, const u_char *option, u_int hlen)
{
uint8_t optlen, i;
@@ -623,16 +624,54 @@ static int dccp_print_option(netdissect_options *ndo, const u_char *option, u_in
}
break;
case 41:
- if (optlen == 4)
+ /*
+ * 13.1. Timestamp Option
+ *
+ * +--------+--------+--------+--------+--------+--------+
+ * |00101001|00000110| Timestamp Value |
+ * +--------+--------+--------+--------+--------+--------+
+ * Type=41 Length=6
+ */
+ if (optlen == 6)
ND_PRINT((ndo, " %u", EXTRACT_32BITS(option + 2)));
else
- ND_PRINT((ndo, " optlen != 4"));
+ ND_PRINT((ndo, " [optlen != 6]"));
break;
case 42:
- if (optlen == 4)
+ /*
+ * 13.3. Timestamp Echo Option
+ *
+ * +--------+--------+--------+--------+--------+--------+
+ * |00101010|00000110| Timestamp Echo |
+ * +--------+--------+--------+--------+--------+--------+
+ * Type=42 Len=6
+ *
+ * +--------+--------+------- ... -------+--------+--------+
+ * |00101010|00001000| Timestamp Echo | Elapsed Time |
+ * +--------+--------+------- ... -------+--------+--------+
+ * Type=42 Len=8 (4 bytes)
+ *
+ * +--------+--------+------- ... -------+------- ... -------+
+ * |00101010|00001010| Timestamp Echo | Elapsed Time |
+ * +--------+--------+------- ... -------+------- ... -------+
+ * Type=42 Len=10 (4 bytes) (4 bytes)
+ */
+ switch (optlen) {
+ case 6:
ND_PRINT((ndo, " %u", EXTRACT_32BITS(option + 2)));
- else
- ND_PRINT((ndo, " optlen != 4"));
+ break;
+ case 8:
+ ND_PRINT((ndo, " %u", EXTRACT_32BITS(option + 2)));
+ ND_PRINT((ndo, " (elapsed time %u)", EXTRACT_16BITS(option + 6)));
+ break;
+ case 10:
+ ND_PRINT((ndo, " %u", EXTRACT_32BITS(option + 2)));
+ ND_PRINT((ndo, " (elapsed time %u)", EXTRACT_32BITS(option + 6)));
+ break;
+ default:
+ ND_PRINT((ndo, " [optlen != 6 or 8 or 10]"));
+ break;
+ }
break;
case 43:
if (optlen == 6)
@@ -640,7 +679,7 @@ static int dccp_print_option(netdissect_options *ndo, const u_char *option, u_in
else if (optlen == 4)
ND_PRINT((ndo, " %u", EXTRACT_16BITS(option + 2)));
else
- ND_PRINT((ndo, " optlen != 4 or 6"));
+ ND_PRINT((ndo, " [optlen != 4 or 6]"));
break;
case 44:
if (optlen > 2) {
