File tcpdump-CVE-2018-14882.patch of Package tcpdump.22834
From d7505276842e85bfd067fa21cdb32b8a2dc3c5e4 Mon Sep 17 00:00:00 2001
From: Francois-Xavier Le Bail <devel.fx.lebail@orange.fr>
Date: Fri, 3 Nov 2017 16:32:30 +0100
Subject: [PATCH] (for 4.9.3) CVE-2018-14882/ICMP6 RPL: Add a missing bounds
check
Moreover:
Add and use *_tstr[] strings.
Update four tests outputs accordingly.
Fix a space.
Wang Junjie of 360 ESG Codesafe Team had independently identified this
vulnerability in 2018 by means of fuzzing and provided the packet capture
file for the test.
---
print-icmp6.c | 29 +++++++++++++++++------------
tests/TESTLIST | 1 +
tests/icmp6_mobileprefix_asan.out | 2 +-
tests/icmp6_nodeinfo_oobr.out | 2 +-
tests/rpl-19-pickdag.out | 2 +-
tests/rpl-19-pickdagvvv.out | 2 +-
tests/rpl-dao-oobr.out | 1 +
tests/rpl-dao-oobr.pcapng | Bin 0 -> 264 bytes
8 files changed, 23 insertions(+), 16 deletions(-)
create mode 100644 tests/rpl-dao-oobr.out
create mode 100644 tests/rpl-dao-oobr.pcapng
Index: tcpdump-4.9.2/print-icmp6.c
===================================================================
--- tcpdump-4.9.2.orig/print-icmp6.c
+++ tcpdump-4.9.2/print-icmp6.c
@@ -41,6 +41,10 @@
#include "udp.h"
#include "ah.h"
+static const char icmp6_tstr[] = "[|icmp6]";
+static const char rpl_tstr[] = " [|rpl]";
+static const char mldv2_tstr[] = " [|mldv2]";
+
/* NetBSD: icmp6.h,v 1.13 2000/08/03 16:30:37 itojun Exp */
/* $KAME: icmp6.h,v 1.22 2000/08/03 15:25:16 jinmei Exp $ */
@@ -686,7 +690,7 @@ rpl_dio_printopt(netdissect_options *ndo
}
return;
trunc:
- ND_PRINT((ndo," [|truncated]"));
+ ND_PRINT((ndo, "%s", rpl_tstr));
return;
}
@@ -715,7 +719,7 @@ rpl_dio_print(netdissect_options *ndo,
}
return;
trunc:
- ND_PRINT((ndo," [|truncated]"));
+ ND_PRINT((ndo, "%s", rpl_tstr));
return;
}
@@ -756,7 +760,7 @@ rpl_dao_print(netdissect_options *ndo,
return;
trunc:
- ND_PRINT((ndo," [|truncated]"));
+ ND_PRINT((ndo, "%s", rpl_tstr));
return;
tooshort:
@@ -800,7 +804,7 @@ rpl_daoack_print(netdissect_options *ndo
return;
trunc:
- ND_PRINT((ndo," [|dao-truncated]"));
+ ND_PRINT((ndo, "%s", rpl_tstr));
return;
tooshort:
@@ -859,7 +863,7 @@ rpl_print(netdissect_options *ndo,
#if 0
trunc:
- ND_PRINT((ndo," [|truncated]"));
+ ND_PRINT((ndo, "%s", rpl_tstr));
return;
#endif
@@ -1157,7 +1161,7 @@ icmp6_print(netdissect_options *ndo,
ND_PRINT((ndo,", length %u", length));
return;
trunc:
- ND_PRINT((ndo, "[|icmp6]"));
+ ND_PRINT((ndo, "%s", icmp6_tstr));
}
static const struct udphdr *
@@ -1381,8 +1385,8 @@ icmp6_opt_print(netdissect_options *ndo,
}
return;
- trunc:
- ND_PRINT((ndo, "[ndp opt]"));
+trunc:
+ ND_PRINT((ndo, "%s", icmp6_tstr));
return;
#undef ECHECK
}
@@ -1457,7 +1461,7 @@ mldv2_report_print(netdissect_options *n
}
return;
trunc:
- ND_PRINT((ndo,"[|icmp6]"));
+ ND_PRINT((ndo, "%s", mldv2_tstr));
return;
}
@@ -1523,7 +1527,7 @@ mldv2_query_print(netdissect_options *nd
ND_PRINT((ndo,"]"));
return;
trunc:
- ND_PRINT((ndo,"[|icmp6]"));
+ ND_PRINT((ndo, "%s", mldv2_tstr));
return;
}
@@ -1810,7 +1814,7 @@ icmp6_nodeinfo_print(netdissect_options
return;
trunc:
- ND_PRINT((ndo, "[|icmp6]"));
+ ND_PRINT((ndo, "%s", icmp6_tstr));
}
static void
@@ -1945,7 +1949,7 @@ icmp6_rrenum_print(netdissect_options *n
return;
trunc:
- ND_PRINT((ndo,"[|icmp6]"));
+ ND_PRINT((ndo, "%s", icmp6_tstr));
}
/*