File tcpdump-CVE-2018-14470.patch of Package tcpdump.17077
From 12f66f69f7bf1ec1266ddbee90a7616cbf33696b Mon Sep 17 00:00:00 2001
From: Denis Ovsienko <denis@ovsienko.info>
Date: Tue, 12 Sep 2017 10:59:16 +0100
Subject: [PATCH] (for 4.9.3) CVE-2018-14470/Babel: fix an existing length
check
In babel_print_v2() the non-verbose branch for an Update TLV compared
the TLV Length against 1 instead of 10 (probably a typo), put it right.
This fixes a buffer over-read discovered by Henri Salo from Nixu
Corporation.
Add a test using the capture file supplied by the reporter(s).
---
print-babel.c | 2 +-
tests/TESTLIST | 1 +
tests/babel_update_oobr.out | 66 +++++++++++++++++++++++++++++++++++
tests/babel_update_oobr.pcap | Bin 0 -> 9888 bytes
4 files changed, 68 insertions(+), 1 deletion(-)
create mode 100644 tests/babel_update_oobr.out
create mode 100644 tests/babel_update_oobr.pcap
diff --git a/print-babel.c b/print-babel.c
index f8741d7bf..1a31f2a3c 100644
--- a/print-babel.c
+++ b/print-babel.c
@@ -480,7 +480,7 @@ babel_print_v2(netdissect_options *ndo,
case MESSAGE_UPDATE: {
if (!ndo->ndo_vflag) {
ND_PRINT((ndo, " update"));
- if(len < 1)
+ if(len < 10)
ND_PRINT((ndo, "/truncated"));
else
ND_PRINT((ndo, "%s%s%s",