File tcpdump-CVE-2018-14466.patch of Package tcpdump.19046

From c24922e692a52121e853a84ead6b9337f4c08a94 Mon Sep 17 00:00:00 2001
From: Denis Ovsienko <denis@ovsienko.info>
Date: Tue, 19 Sep 2017 13:33:55 +0100
Subject: [PATCH] (for 4.9.3) CVE-2018-14466/Rx: fix an over-read bug

In rx_cache_insert() and rx_cache_find() properly read the serviceId
field of the rx_header structure as a 16-bit integer. When those
functions tried to read 32 bits the extra 16 bits could be outside of
the bounds checked in rx_print() for the rx_header structure, as
serviceId is the last field in that structure.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s).
---
 print-rx.c                   |   4 ++--
 tests/TESTLIST               |   1 +
 tests/rx_serviceid_oobr.out  |   3 +++
 tests/rx_serviceid_oobr.pcap | Bin 0 -> 2759 bytes
 4 files changed, 6 insertions(+), 2 deletions(-)
 create mode 100644 tests/rx_serviceid_oobr.out
 create mode 100644 tests/rx_serviceid_oobr.pcap

diff --git a/print-rx.c b/print-rx.c
index 0d3cd3759..bf2af0cb7 100644
--- a/print-rx.c
+++ b/print-rx.c
@@ -694,7 +694,7 @@ rx_cache_insert(netdissect_options *ndo,
 	UNALIGNED_MEMCPY(&rxent->client, &ip->ip_src, sizeof(uint32_t));
 	UNALIGNED_MEMCPY(&rxent->server, &ip->ip_dst, sizeof(uint32_t));
 	rxent->dport = dport;
-	rxent->serviceId = EXTRACT_32BITS(&rxh->serviceId);
+	rxent->serviceId = EXTRACT_16BITS(&rxh->serviceId);
 	rxent->opcode = EXTRACT_32BITS(bp + sizeof(struct rx_header));
 }
 
@@ -725,7 +725,7 @@ rx_cache_find(const struct rx_header *rxh, const struct ip *ip, int sport,
 		if (rxent->callnum == EXTRACT_32BITS(&rxh->callNumber) &&
 		    rxent->client.s_addr == clip &&
 		    rxent->server.s_addr == sip &&
-		    rxent->serviceId == EXTRACT_32BITS(&rxh->serviceId) &&
+		    rxent->serviceId == EXTRACT_16BITS(&rxh->serviceId) &&
 		    rxent->dport == sport) {
 
 			/* We got a match! */