File tcpdump-CVE-2019-15166.patch of Package tcpdump.19046
From 0b661e0aa61850234b64394585cf577aac570bf4 Mon Sep 17 00:00:00 2001
From: Francois-Xavier Le Bail <devel.fx.lebail@orange.fr>
Date: Tue, 17 Oct 2017 22:40:13 +0200
Subject: [PATCH] (for 4.9.3) LMP: Add some missing bounds checks
In lmp_print_data_link_subobjs(), these problems were identified
through code review.
Moreover:
Add and use tstr[].
Update two tests outputs accordingly.
---
print-lmp.c | 9 ++++++++-
tests/lmp-lmp_print_data_link_subobjs-oobr.out | 6 ++----
tests/lmpv1_busyloop.out | 3 +--
3 files changed, 11 insertions(+), 7 deletions(-)
Index: tcpdump-4.9.2/print-lmp.c
===================================================================
--- tcpdump-4.9.2.orig/print-lmp.c
+++ tcpdump-4.9.2/print-lmp.c
@@ -31,6 +31,8 @@
#include "addrtoname.h"
#include "gmpls.h"
+static const char tstr[] = " [|LMP]";
+
/*
* LMP common header
*
@@ -367,6 +369,7 @@ lmp_print_data_link_subobjs(netdissect_o
} bw;
while (total_subobj_len > 0 && hexdump == FALSE ) {
+ ND_TCHECK_16BITS(obj_tptr + offset);
subobj_type = EXTRACT_8BITS(obj_tptr+offset);
subobj_len = EXTRACT_8BITS(obj_tptr+offset+1);
ND_PRINT((ndo, "\n\t Subobject, Type: %s (%u), Length: %u",
@@ -389,25 +392,29 @@ lmp_print_data_link_subobjs(netdissect_o
}
switch(subobj_type) {
case INT_SWITCHING_TYPE_SUBOBJ:
+ ND_TCHECK_8BITS(obj_tptr + offset + 2);
ND_PRINT((ndo, "\n\t Switching Type: %s (%u)",
tok2str(gmpls_switch_cap_values,
"Unknown",
EXTRACT_8BITS(obj_tptr+offset+2)),
- EXTRACT_8BITS(obj_tptr+offset+2)));
+ EXTRACT_8BITS(obj_tptr+offset+2)));
+ ND_TCHECK_8BITS(obj_tptr + offset + 3);
ND_PRINT((ndo, "\n\t Encoding Type: %s (%u)",
tok2str(gmpls_encoding_values,
"Unknown",
EXTRACT_8BITS(obj_tptr+offset+3)),
- EXTRACT_8BITS(obj_tptr+offset+3)));
+ EXTRACT_8BITS(obj_tptr+offset+3)));
ND_TCHECK_32BITS(obj_tptr + offset + 4);
bw.i = EXTRACT_32BITS(obj_tptr+offset+4);
ND_PRINT((ndo, "\n\t Min Reservable Bandwidth: %.3f Mbps",
bw.f*8/1000000));
+ ND_TCHECK_32BITS(obj_tptr + offset + 8);
bw.i = EXTRACT_32BITS(obj_tptr+offset+8);
ND_PRINT((ndo, "\n\t Max Reservable Bandwidth: %.3f Mbps",
bw.f*8/1000000));
break;
case WAVELENGTH_SUBOBJ:
+ ND_TCHECK_32BITS(obj_tptr + offset + 4);
ND_PRINT((ndo, "\n\t Wavelength: %u",
EXTRACT_32BITS(obj_tptr+offset+4)));
break;
@@ -1141,7 +1148,7 @@ lmp_print(netdissect_options *ndo,
}
return;
trunc:
- ND_PRINT((ndo, "\n\t\t packet exceeded snapshot"));
+ ND_PRINT((ndo, "%s", tstr));
}
/*
* Local Variables:
Index: tcpdump-4.9.2/tests/lmpv1_busyloop.out
===================================================================
--- tcpdump-4.9.2.orig/tests/lmpv1_busyloop.out
+++ tcpdump-4.9.2/tests/lmpv1_busyloop.out
@@ -38,5 +38,4 @@
0x01d0: 0200 0200 0002 0002 0000 0200 0200 0002
0x01e0: 0002 0000 0200 0200 0002 0002 0000 0200
0x01f0: 0200 0002 0002 0000 0200 0200 0002 0002
- Unknown Object (0), Class-Type: Unknown (0) Flags: [non-negotiable], length: 512
- packet exceeded snapshot
+ Unknown Object (0), Class-Type: Unknown (0) Flags: [non-negotiable], length: 512 [|LMP]