File tcpdump-CVE-2018-14881.patch of Package tcpdump.17077
From 86326e880d31b328a151d45348c35220baa9a1ff Mon Sep 17 00:00:00 2001
From: Francois-Xavier Le Bail <devel.fx.lebail@orange.fr>
Date: Sun, 8 Oct 2017 13:38:50 +0200
Subject: [PATCH] (for 4.9.3) CVE-2018-14881/BGP: Fix BGP_CAPCODE_RESTART.
Add a bounds check and a comment to bgp_capabilities_print().
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.
Add a test using the capture file supplied by the reporter(s).
---
print-bgp.c | 2 ++
tests/TESTLIST | 1 +
tests/bgp-bgp_capabilities_print-oobr-1.out | 27 +++++++++++++++++++
tests/bgp-bgp_capabilities_print-oobr-1.pcap | Bin 0 -> 274 bytes
4 files changed, 30 insertions(+)
create mode 100644 tests/bgp-bgp_capabilities_print-oobr-1.out
create mode 100644 tests/bgp-bgp_capabilities_print-oobr-1.pcap
diff --git a/print-bgp.c b/print-bgp.c
index c82f1cc7d..1438915a4 100644
--- a/print-bgp.c
+++ b/print-bgp.c
@@ -2351,6 +2351,8 @@ bgp_capabilities_print(netdissect_options *ndo,
opt[i+5]));
break;
case BGP_CAPCODE_RESTART:
+ /* Restart Flags (4 bits), Restart Time in seconds (12 bits) */
+ ND_TCHECK_16BITS(opt + i + 2);
ND_PRINT((ndo, "\n\t\tRestart Flags: [%s], Restart Time %us",
((opt[i+2])&0x80) ? "R" : "none",
EXTRACT_16BITS(opt+i+2)&0xfff));