File tcpdump-CVE-2018-14881.patch of Package tcpdump.17077

From 86326e880d31b328a151d45348c35220baa9a1ff Mon Sep 17 00:00:00 2001
From: Francois-Xavier Le Bail <devel.fx.lebail@orange.fr>
Date: Sun, 8 Oct 2017 13:38:50 +0200
Subject: [PATCH] (for 4.9.3) CVE-2018-14881/BGP: Fix BGP_CAPCODE_RESTART.

Add a bounds check and a comment to bgp_capabilities_print().

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s).
---
 print-bgp.c                                  |   2 ++
 tests/TESTLIST                               |   1 +
 tests/bgp-bgp_capabilities_print-oobr-1.out  |  27 +++++++++++++++++++
 tests/bgp-bgp_capabilities_print-oobr-1.pcap | Bin 0 -> 274 bytes
 4 files changed, 30 insertions(+)
 create mode 100644 tests/bgp-bgp_capabilities_print-oobr-1.out
 create mode 100644 tests/bgp-bgp_capabilities_print-oobr-1.pcap

diff --git a/print-bgp.c b/print-bgp.c
index c82f1cc7d..1438915a4 100644
--- a/print-bgp.c
+++ b/print-bgp.c
@@ -2351,6 +2351,8 @@ bgp_capabilities_print(netdissect_options *ndo,
                            opt[i+5]));
                     break;
                 case BGP_CAPCODE_RESTART:
+                    /* Restart Flags (4 bits), Restart Time in seconds (12 bits) */
+                    ND_TCHECK_16BITS(opt + i + 2);
                     ND_PRINT((ndo, "\n\t\tRestart Flags: [%s], Restart Time %us",
                            ((opt[i+2])&0x80) ? "R" : "none",
                            EXTRACT_16BITS(opt+i+2)&0xfff));