File tcpdump-CVE-2018-14466.patch of Package tcpdump.19046
From c24922e692a52121e853a84ead6b9337f4c08a94 Mon Sep 17 00:00:00 2001
From: Denis Ovsienko <denis@ovsienko.info>
Date: Tue, 19 Sep 2017 13:33:55 +0100
Subject: [PATCH] (for 4.9.3) CVE-2018-14466/Rx: fix an over-read bug
In rx_cache_insert() and rx_cache_find() properly read the serviceId
field of the rx_header structure as a 16-bit integer. When those
functions tried to read 32 bits the extra 16 bits could be outside of
the bounds checked in rx_print() for the rx_header structure, as
serviceId is the last field in that structure.
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.
Add a test using the capture file supplied by the reporter(s).
---
print-rx.c | 4 ++--
tests/TESTLIST | 1 +
tests/rx_serviceid_oobr.out | 3 +++
tests/rx_serviceid_oobr.pcap | Bin 0 -> 2759 bytes
4 files changed, 6 insertions(+), 2 deletions(-)
create mode 100644 tests/rx_serviceid_oobr.out
create mode 100644 tests/rx_serviceid_oobr.pcap
diff --git a/print-rx.c b/print-rx.c
index 0d3cd3759..bf2af0cb7 100644
--- a/print-rx.c
+++ b/print-rx.c
@@ -694,7 +694,7 @@ rx_cache_insert(netdissect_options *ndo,
UNALIGNED_MEMCPY(&rxent->client, &ip->ip_src, sizeof(uint32_t));
UNALIGNED_MEMCPY(&rxent->server, &ip->ip_dst, sizeof(uint32_t));
rxent->dport = dport;
- rxent->serviceId = EXTRACT_32BITS(&rxh->serviceId);
+ rxent->serviceId = EXTRACT_16BITS(&rxh->serviceId);
rxent->opcode = EXTRACT_32BITS(bp + sizeof(struct rx_header));
}
@@ -725,7 +725,7 @@ rx_cache_find(const struct rx_header *rxh, const struct ip *ip, int sport,
if (rxent->callnum == EXTRACT_32BITS(&rxh->callNumber) &&
rxent->client.s_addr == clip &&
rxent->server.s_addr == sip &&
- rxent->serviceId == EXTRACT_32BITS(&rxh->serviceId) &&
+ rxent->serviceId == EXTRACT_16BITS(&rxh->serviceId) &&
rxent->dport == sport) {
/* We got a match! */