File tcpdump-CVE-2018-14467.patch of Package tcpdump.15019

From e3f3b445e2d20ac5d5b7fcb7559ce6beb55da0c9 Mon Sep 17 00:00:00 2001
From: Francois-Xavier Le Bail <devel.fx.lebail@orange.fr>
Date: Sun, 8 Oct 2017 13:38:50 +0200
Subject: [PATCH] (for 4.9.3) CVE-2018-14467/BGP: Fix BGP_CAPCODE_MP.

Add a bounds check and a comment to bgp_capabilities_print().

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s).
---
 print-bgp.c                                  |   2 ++
 tests/TESTLIST                               |   1 +
 tests/bgp-bgp_capabilities_print-oobr-2.out  |  26 +++++++++++++++++++
 tests/bgp-bgp_capabilities_print-oobr-2.pcap | Bin 0 -> 274 bytes
 4 files changed, 29 insertions(+)
 create mode 100644 tests/bgp-bgp_capabilities_print-oobr-2.out
 create mode 100644 tests/bgp-bgp_capabilities_print-oobr-2.pcap

diff --git a/print-bgp.c b/print-bgp.c
index 1438915a4..71bb5a76e 100644
--- a/print-bgp.c
+++ b/print-bgp.c
@@ -2342,6 +2342,8 @@ bgp_capabilities_print(netdissect_options *ndo,
                 ND_TCHECK2(opt[i+2], cap_len);
                 switch (cap_type) {
                 case BGP_CAPCODE_MP:
+                    /* AFI (16 bits), Reserved (8 bits), SAFI (8 bits) */
+                    ND_TCHECK_8BITS(opt + i + 5);
                     ND_PRINT((ndo, "\n\t\tAFI %s (%u), SAFI %s (%u)",
                            tok2str(af_values, "Unknown",
                                       EXTRACT_16BITS(opt+i+2)),
openSUSE Build Service is sponsored by