File tcpdump-CVE-2018-14880.patch of Package tcpdump.19046
From e01c9bf76740802025c9328901b55ee4a0c49ed6 Mon Sep 17 00:00:00 2001
From: Francois-Xavier Le Bail <devel.fx.lebail@orange.fr>
Date: Sat, 4 Nov 2017 16:06:33 +0100
Subject: [PATCH] (for 4.9.3) CVE-2018-14880/OSPFv3: Fix a bounds check
Need to test bounds check for the last field of the structure lsa6_hdr.
No need to test other fields.
Include Security working under the Mozilla SOS program had independently
identified this vulnerability in 2018 by means of code audit.
Wang Junjie of 360 ESG Codesafe Team had independently identified this
vulnerability in 2018 by means of fuzzing and provided the packet capture
file for the test.
---
 print-ospf6.c                       |   3 +-
 tests/TESTLIST                      |   3 ++
 tests/ospf6_print_lshdr-oobr.out    |  59 ++++++++++++++++++++++++++++
 tests/ospf6_print_lshdr-oobr.pcapng | Bin 0 -> 5492 bytes
 4 files changed, 63 insertions(+), 2 deletions(-)
 create mode 100644 tests/ospf6_print_lshdr-oobr.out
 create mode 100644 tests/ospf6_print_lshdr-oobr.pcapng
diff --git a/print-ospf6.c b/print-ospf6.c
index a5ac30517..66ab2f75f 100644
--- a/print-ospf6.c
+++ b/print-ospf6.c
@@ -389,8 +389,7 @@ ospf6_print_lshdr(netdissect_options *ndo,
 {
 	if ((const u_char *)(lshp + 1) > dataend)
 		goto trunc;
-	ND_TCHECK(lshp->ls_type);
-	ND_TCHECK(lshp->ls_seq);
+	ND_TCHECK(lshp->ls_length);	/* last field of struct lsa6_hdr */
 
 	ND_PRINT((ndo, "\n\t  Advertising Router %s, seq 0x%08x, age %us, length %u",
                ipaddr_string(ndo, &lshp->ls_router),