Overview

File tcpdump-CVE-2019-15166.patch of Package tcpdump.19046

From 0b661e0aa61850234b64394585cf577aac570bf4 Mon Sep 17 00:00:00 2001
From: Francois-Xavier Le Bail <devel.fx.lebail@orange.fr>
Date: Tue, 17 Oct 2017 22:40:13 +0200
Subject: [PATCH] (for 4.9.3) LMP: Add some missing bounds checks

In lmp_print_data_link_subobjs(), these problems were identified
through code review.

Moreover:
Add and use tstr[].
Update two tests outputs accordingly.
---
 print-lmp.c                                    | 9 ++++++++-
 tests/lmp-lmp_print_data_link_subobjs-oobr.out | 6 ++----
 tests/lmpv1_busyloop.out                       | 3 +--
 3 files changed, 11 insertions(+), 7 deletions(-)

Index: tcpdump-4.9.2/print-lmp.c
===================================================================
--- tcpdump-4.9.2.orig/print-lmp.c
+++ tcpdump-4.9.2/print-lmp.c
@@ -31,6 +31,8 @@
 #include "addrtoname.h"
 #include "gmpls.h"
 
+static const char tstr[] = " [|LMP]";
+
 /*
  * LMP common header
  *
@@ -367,6 +369,7 @@ lmp_print_data_link_subobjs(netdissect_o
     } bw;
 
     while (total_subobj_len > 0 && hexdump == FALSE ) {
+	ND_TCHECK_16BITS(obj_tptr + offset);
 	subobj_type = EXTRACT_8BITS(obj_tptr+offset);
 	subobj_len  = EXTRACT_8BITS(obj_tptr+offset+1);
 	ND_PRINT((ndo, "\n\t    Subobject, Type: %s (%u), Length: %u",
@@ -389,25 +392,29 @@ lmp_print_data_link_subobjs(netdissect_o
 	}
 	switch(subobj_type) {
 	case INT_SWITCHING_TYPE_SUBOBJ:
+	    ND_TCHECK_8BITS(obj_tptr + offset + 2);
 	    ND_PRINT((ndo, "\n\t      Switching Type: %s (%u)",
 		tok2str(gmpls_switch_cap_values,
 			"Unknown",
 			EXTRACT_8BITS(obj_tptr+offset+2)),
-		EXTRACT_8BITS(obj_tptr+offset+2)));
+		        EXTRACT_8BITS(obj_tptr+offset+2)));
+	    ND_TCHECK_8BITS(obj_tptr + offset + 3);
 	    ND_PRINT((ndo, "\n\t      Encoding Type: %s (%u)",
 		tok2str(gmpls_encoding_values,
 			"Unknown",
 			EXTRACT_8BITS(obj_tptr+offset+3)),
-		EXTRACT_8BITS(obj_tptr+offset+3)));
+		        EXTRACT_8BITS(obj_tptr+offset+3)));
 	    ND_TCHECK_32BITS(obj_tptr + offset + 4);
 	    bw.i = EXTRACT_32BITS(obj_tptr+offset+4);
 	    ND_PRINT((ndo, "\n\t      Min Reservable Bandwidth: %.3f Mbps",
                 bw.f*8/1000000));
+	    ND_TCHECK_32BITS(obj_tptr + offset + 8);
 	    bw.i = EXTRACT_32BITS(obj_tptr+offset+8);
 	    ND_PRINT((ndo, "\n\t      Max Reservable Bandwidth: %.3f Mbps",
                 bw.f*8/1000000));
 	    break;
 	case WAVELENGTH_SUBOBJ:
+	    ND_TCHECK_32BITS(obj_tptr + offset + 4);
 	    ND_PRINT((ndo, "\n\t      Wavelength: %u",
 		EXTRACT_32BITS(obj_tptr+offset+4)));
 	    break;
@@ -1141,7 +1148,7 @@ lmp_print(netdissect_options *ndo,
     }
     return;
 trunc:
-    ND_PRINT((ndo, "\n\t\t packet exceeded snapshot"));
+    ND_PRINT((ndo, "%s", tstr));
 }
 /*
  * Local Variables:
Index: tcpdump-4.9.2/tests/lmpv1_busyloop.out
===================================================================
--- tcpdump-4.9.2.orig/tests/lmpv1_busyloop.out
+++ tcpdump-4.9.2/tests/lmpv1_busyloop.out
@@ -38,5 +38,4 @@
 	    0x01d0:  0200 0200 0002 0002 0000 0200 0200 0002
 	    0x01e0:  0002 0000 0200 0200 0002 0002 0000 0200
 	    0x01f0:  0200 0002 0002 0000 0200 0200 0002 0002
-	  Unknown Object (0), Class-Type: Unknown (0) Flags: [non-negotiable], length: 512
-		 packet exceeded snapshot
+	  Unknown Object (0), Class-Type: Unknown (0) Flags: [non-negotiable], length: 512 [|LMP]
openSUSE Build Service is sponsored by
Places