File tcpdump-CVE-2018-14461.patch of Package tcpdump.17077
From aa5c6b710dfd8020d2c908d6b3bd41f1da719b3b Mon Sep 17 00:00:00 2001
From: Francois-Xavier Le Bail <devel.fx.lebail@orange.fr>
Date: Sun, 8 Oct 2017 11:49:24 +0200
Subject: [PATCH] (for 4.9.3) CVE-2018-14461/LDP: Fix a bounds check
In ldp_tlv_print(), the FT Session TLV length must be 12, not 8 (RFC3479)
This fixes a buffer over-read discovered by Konrad Rieck and
Bhargava Shastry.
Add a test using the capture file supplied by the reporter(s).
Moreover:
Add and use tstr[].
Add a comment.
---
print-ldp.c | 9 ++++++---
tests/TESTLIST | 1 +
tests/ldp-ldp_tlv_print-oobr.out | 6 ++++++
tests/ldp-ldp_tlv_print-oobr.pcap | Bin 0 -> 395 bytes
4 files changed, 13 insertions(+), 3 deletions(-)
create mode 100644 tests/ldp-ldp_tlv_print-oobr.out
create mode 100644 tests/ldp-ldp_tlv_print-oobr.pcap
diff --git a/print-ldp.c b/print-ldp.c
index 1bb27fe41..afd943d0a 100644
--- a/print-ldp.c
+++ b/print-ldp.c
@@ -29,6 +29,8 @@
#include "l2vpn.h"
#include "af.h"
+static const char tstr[] = " [|LDP]";
+
/*
* ldp common header
*
@@ -486,7 +488,7 @@ ldp_tlv_print(netdissect_options *ndo,
break;
case LDP_TLV_FT_SESSION:
- TLV_TCHECK(8);
+ TLV_TCHECK(12);
ft_flags = EXTRACT_16BITS(tptr);
ND_PRINT((ndo, "\n\t Flags: [%sReconnect, %sSave State, %sAll-Label Protection, %s Checkpoint, %sRe-Learn State]",
ft_flags&0x8000 ? "" : "No ",
@@ -494,6 +496,7 @@ ldp_tlv_print(netdissect_options *ndo,
ft_flags&0x4 ? "" : "No ",
ft_flags&0x2 ? "Sequence Numbered Label" : "All Labels",
ft_flags&0x1 ? "" : "Don't "));
+ /* 16 bits (FT Flags) + 16 bits (Reserved) */
tptr+=4;
ui = EXTRACT_32BITS(tptr);
if (ui)
@@ -534,7 +537,7 @@ ldp_tlv_print(netdissect_options *ndo,
return(tlv_len+4); /* Type & Length fields not included */
trunc:
- ND_PRINT((ndo, "\n\t\t packet exceeded snapshot"));
+ ND_PRINT((ndo, "%s", tstr));
return 0;
badtlv:
@@ -692,7 +695,7 @@ ldp_pdu_print(netdissect_options *ndo,
}
return pdu_len+4;
trunc:
- ND_PRINT((ndo, "\n\t\t packet exceeded snapshot"));
+ ND_PRINT((ndo, "%s", tstr));
return 0;
}