File libpcap-CVE-2019-15165.patch of Package libpcap.12847
From 87d6bef033062f969e70fa40c43dfd945d5a20ab Mon Sep 17 00:00:00 2001
From: Michael Richardson <mcr@sandelman.ca>
Date: Fri, 20 Sep 2019 11:02:00 -0400
Subject: [PATCH] do sanity checks on PHB header length before allocating
memory. There was no fault; but doing the check results in a more consistent
error
---
sf-pcapng.c | 26 ++++++++++----------------
1 file changed, 10 insertions(+), 16 deletions(-)
Index: libpcap-1.8.1/sf-pcap-ng.c
===================================================================
--- libpcap-1.8.1.orig/sf-pcap-ng.c
+++ libpcap-1.8.1/sf-pcap-ng.c
@@ -102,7 +102,7 @@ struct option_header {
* Section Header Block.
*/
#define BT_SHB 0x0A0D0D0A
-
+#define BT_SHB_INSANE_MAX 1024U*1024U*1U /* 1MB should be enough */
struct section_header_block {
bpf_u_int32 byte_order_magic;
u_short major_version;
@@ -247,7 +247,7 @@ read_bytes(FILE *fp, void *buf, size_t b
if (amt_read == 0 && !fail_on_eof)
return (0); /* EOF */
pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
- "truncated dump file; tried to read %lu bytes, only got %lu",
+ "truncated pcapng dump file; tried to read %zu bytes, only got %zu",
(unsigned long)bytes_to_read,
(unsigned long)amt_read);
}
@@ -798,11 +798,13 @@ pcap_ng_check_header(bpf_u_int32 magic,
/*
* Check the sanity of the total length.
*/
- if (total_length < sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer)) {
+ if (total_length < sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer) ||
+ (total_length > BT_SHB_INSANE_MAX)) {
pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
- "Section Header Block in pcap-ng dump file has a length of %u < %lu",
- total_length,
- (unsigned long)(sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer)));
+ "Section Header Block in pcapng dump file has invalid length %zu < _%u_ < %u (BT_SHB_INSANE_MAX)",
+ sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer),
+ total_length,
+ BT_SHB_INSANE_MAX);
*err = 1;
return (NULL);
}
