diff options
| author | Ed Maste <emaste@FreeBSD.org> | 2017-12-06 02:21:11 +0000 |
|---|---|---|
| committer | Ed Maste <emaste@FreeBSD.org> | 2017-12-06 02:21:11 +0000 |
| commit | 0bff6a5af8cb6d8e5123f8b667df78cac885dbb7 (patch) | |
| tree | 6e66d6c0f99416541ca1c9ccf6150fef28fca367 /contrib/tcpdump/print-chdlc.c | |
| parent | 823cdec7bb72a1b2cafac467c2e1ff9a004dc4fc (diff) | |
| parent | 4533b6d8a9b95fc043b72b3656b98e79ac839041 (diff) | |
| download | src-0bff6a5af8cb6d8e5123f8b667df78cac885dbb7.tar.gz src-0bff6a5af8cb6d8e5123f8b667df78cac885dbb7.zip | |
Update tcpdump to 4.9.2
It contains many fixes, including bounds checking, buffer overflows (in
SLIP and bittok2str_internal), buffer over-reads, and infinite loops.
One other notable change:
Do not use getprotobynumber() for protocol name resolution.
Do not do any protocol name resolution if -n is specified.
Submitted by: gordon
Reviewed by: delphij, emaste, glebius
MFC after: 1 week
Relnotes: Yes
Security: CVE-2017-11108, CVE-2017-11541, CVE-2017-11542
Security: CVE-2017-11543, CVE-2017-12893, CVE-2017-12894
Security: CVE-2017-12895, CVE-2017-12896, CVE-2017-12897
Security: CVE-2017-12898, CVE-2017-12899, CVE-2017-12900
Security: CVE-2017-12901, CVE-2017-12902, CVE-2017-12985
Security: CVE-2017-12986, CVE-2017-12987, CVE-2017-12988
Security: CVE-2017-12989, CVE-2017-12990, CVE-2017-12991
Security: CVE-2017-12992, CVE-2017-12993, CVE-2017-12994
Security: CVE-2017-12995, CVE-2017-12996, CVE-2017-12997
Security: CVE-2017-12998, CVE-2017-12999, CVE-2017-13000
Security: CVE-2017-13001, CVE-2017-13002, CVE-2017-13003
Security: CVE-2017-13004, CVE-2017-13005, CVE-2017-13006
Security: CVE-2017-13007, CVE-2017-13008, CVE-2017-13009
Security: CVE-2017-13010, CVE-2017-13011, CVE-2017-13012
Security: CVE-2017-13013, CVE-2017-13014, CVE-2017-13015
Security: CVE-2017-13016, CVE-2017-13017, CVE-2017-13018
Security: CVE-2017-13019, CVE-2017-13020, CVE-2017-13021
Security: CVE-2017-13022, CVE-2017-13023, CVE-2017-13024
Security: CVE-2017-13025, CVE-2017-13026, CVE-2017-13027
Security: CVE-2017-13028, CVE-2017-13029, CVE-2017-13030
Security: CVE-2017-13031, CVE-2017-13032, CVE-2017-13033
Security: CVE-2017-13034, CVE-2017-13035, CVE-2017-13036
Security: CVE-2017-13037, CVE-2017-13038, CVE-2017-13039
Security: CVE-2017-13040, CVE-2017-13041, CVE-2017-13042
Security: CVE-2017-13043, CVE-2017-13044, CVE-2017-13045
Security: CVE-2017-13046, CVE-2017-13047, CVE-2017-13048
Security: CVE-2017-13049, CVE-2017-13050, CVE-2017-13051
Security: CVE-2017-13052, CVE-2017-13053, CVE-2017-13054
Security: CVE-2017-13055, CVE-2017-13687, CVE-2017-13688
Security: CVE-2017-13689, CVE-2017-13690, CVE-2017-13725
Differential Revision: https://reviews.freebsd.org/D12404
Notes
Notes:
svn path=/head/; revision=326613
Diffstat (limited to 'contrib/tcpdump/print-chdlc.c')
| -rw-r--r-- | contrib/tcpdump/print-chdlc.c | 24 |
1 files changed, 14 insertions, 10 deletions
diff --git a/contrib/tcpdump/print-chdlc.c b/contrib/tcpdump/print-chdlc.c index 450d286848cb..24acfbd2e86c 100644 --- a/contrib/tcpdump/print-chdlc.c +++ b/contrib/tcpdump/print-chdlc.c @@ -46,21 +46,18 @@ static const struct tok chdlc_cast_values[] = { u_int chdlc_if_print(netdissect_options *ndo, const struct pcap_pkthdr *h, register const u_char *p) { - register u_int length = h->len; - register u_int caplen = h->caplen; - - if (caplen < CHDLC_HDRLEN) { - ND_PRINT((ndo, "[|chdlc]")); - return (caplen); - } - return (chdlc_print(ndo, p,length)); + return chdlc_print(ndo, p, h->len); } u_int chdlc_print(netdissect_options *ndo, register const u_char *p, u_int length) { u_int proto; + const u_char *bp = p; + if (length < CHDLC_HDRLEN) + goto trunc; + ND_TCHECK2(*p, CHDLC_HDRLEN); proto = EXTRACT_16BITS(&p[2]); if (ndo->ndo_eflag) { ND_PRINT((ndo, "%s, ethertype %s (0x%04x), length %u: ", @@ -94,12 +91,15 @@ chdlc_print(netdissect_options *ndo, register const u_char *p, u_int length) break; case ETHERTYPE_ISO: /* is the fudge byte set ? lets verify by spotting ISO headers */ + if (length < 2) + goto trunc; + ND_TCHECK_16BITS(p); if (*(p+1) == 0x81 || *(p+1) == 0x82 || *(p+1) == 0x83) - isoclns_print(ndo, p + 1, length - 1, ndo->ndo_snapend - p - 1); + isoclns_print(ndo, p + 1, length - 1); else - isoclns_print(ndo, p, length, ndo->ndo_snapend - p); + isoclns_print(ndo, p, length); break; default: if (!ndo->ndo_eflag) @@ -108,6 +108,10 @@ chdlc_print(netdissect_options *ndo, register const u_char *p, u_int length) } return (CHDLC_HDRLEN); + +trunc: + ND_PRINT((ndo, "[|chdlc]")); + return ndo->ndo_snapend - bp; } /* |