File tcpdump-CVE-2018-14468.patch of Package tcpdump.19046
From aa3e54f594385ce7e1e319b0c84999e51192578b Mon Sep 17 00:00:00 2001
From: Denis Ovsienko <denis@ovsienko.info>
Date: Fri, 1 Sep 2017 17:55:39 +0100
Subject: [PATCH] (for 4.9.3) CVE-2018-14468/FRF.16: Add a missing length
check.
The specification says in a well-formed Magic Number information element
the data is exactly 4 bytes long. In mfr_print() check this before trying
to read those 4 bytes.
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.
Add a test using the capture file supplied by the reporter(s).
---
print-fr.c | 5 +++++
tests/TESTLIST | 1 +
tests/frf16_magic_ie-oobr.out | 2 ++
tests/frf16_magic_ie-oobr.pcap | Bin 0 -> 124 bytes
4 files changed, 8 insertions(+)
create mode 100644 tests/frf16_magic_ie-oobr.out
create mode 100644 tests/frf16_magic_ie-oobr.pcap
Index: tcpdump-4.9.2/print-fr.c
===================================================================
--- tcpdump-4.9.2.orig/print-fr.c
+++ tcpdump-4.9.2/print-fr.c
@@ -493,6 +493,11 @@ mfr_print(netdissect_options *ndo,
switch (ie_type) {
case MFR_CTRL_IE_MAGIC_NUM:
+ /* FRF.16.1 Section 3.4.3 Magic Number Information Element */
+ if (ie_len != 4) {
+ ND_PRINT((ndo, "(invalid length)"));
+ break;
+ }
ND_PRINT((ndo, "0x%08x", EXTRACT_32BITS(tptr)));
break;