tcpdump: add 3 security patches

Fixes:
CVE-2014-8767 - denial of service in verbose mode using malformed OLSR
payload
OLSR payload
CVE-2014-8768 - denial of service in verbose mode using malformed Geonet
payload
CVE-2014-8769 - unreliable output using malformed AOVD payload

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit is contained in:
Gustavo Zacarias 2014-11-28 07:25:45 -03:00 committed by Peter Korsgaard
parent 6045904752
commit 489848b1fa
3 changed files with 58 additions and 0 deletions

View File

@ -0,0 +1,20 @@
From https://bugzilla.redhat.com/show_bug.cgi?id=1165160
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
--- tcpdump-tcpdump-4.6/print-olsr.c 2014-10-23 14:07:12.000000000 +0700
+++ tcpdump-4.6.2/print-olsr.c 2014-11-21 14:56:18.205542679 +0700
@@ -234,6 +234,13 @@
ND_PRINT((ndo, "\n\t neighbor\n\t\t"));
neighbor = 1;
+ u_int caplength;
+
+ /* Checking length of available data before print */
+ caplength = (ndo->ndo_snapend >= msg_data) ? ndo->ndo_snapend - msg_data : 0;
+ if (hello_len > caplength)
+ hello_len = caplength;
+
while (hello_len >= sizeof(struct in_addr)) {
/* print 4 neighbors per line */

View File

@ -0,0 +1,19 @@
From https://bugzilla.redhat.com/show_bug.cgi?id=1165161
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
--- tcpdump-tcpdump_4.5/print-geonet.c 2014-02-17 05:58:41.000000000 +0700
+++ print-geonet.c 2014-11-21 10:06:58.590217933 +0700
@@ -237,6 +237,12 @@
printf("Malformed (small) ");
}
+ /* Checking length before print */
+ u_int caplength;
+ caplength = (ndo->ndo_snapend >= bp) ? ndo->ndo_snapend - bp : 0;
+ if (length > caplength)
+ length = caplength;
+
/* Print user data part */
if (ndo->ndo_vflag)
default_print(bp, length);

View File

@ -0,0 +1,19 @@
From https://bugzilla.redhat.com/show_bug.cgi?id=1165162
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
--- tcpdump-tcpdump-4.6/print-udp.c 2014-11-21 13:53:05.757690197 +0700
+++ tcpdump-4.6.2/print-udp.c 2014-11-21 13:50:58.077695164 +0700
@@ -357,6 +357,12 @@
#ifdef INET6
register const struct ip6_hdr *ip6;
#endif
+ u_int caplength;
+
+ /* Checking length of available data before print */
+ caplength = (ndo->ndo_snapend >= bp) ? ndo->ndo_snapend - bp : 0;
+ if (length > caplength)
+ length = caplength;
if (ep > ndo->ndo_snapend)
ep = ndo->ndo_snapend;