diff options
author | Ed Maste <emaste@FreeBSD.org> | 2017-12-06 02:21:11 +0000 |
---|---|---|
committer | Ed Maste <emaste@FreeBSD.org> | 2017-12-06 02:21:11 +0000 |
commit | 0bff6a5af8cb6d8e5123f8b667df78cac885dbb7 (patch) | |
tree | 6e66d6c0f99416541ca1c9ccf6150fef28fca367 /contrib/tcpdump/print-resp.c | |
parent | 823cdec7bb72a1b2cafac467c2e1ff9a004dc4fc (diff) | |
parent | 4533b6d8a9b95fc043b72b3656b98e79ac839041 (diff) | |
download | src-0bff6a5af8cb6d8e5123f8b667df78cac885dbb7.tar.gz src-0bff6a5af8cb6d8e5123f8b667df78cac885dbb7.zip |
Update tcpdump to 4.9.2
It contains many fixes, including bounds checking, buffer overflows (in
SLIP and bittok2str_internal), buffer over-reads, and infinite loops.
One other notable change:
Do not use getprotobynumber() for protocol name resolution.
Do not do any protocol name resolution if -n is specified.
Submitted by: gordon
Reviewed by: delphij, emaste, glebius
MFC after: 1 week
Relnotes: Yes
Security: CVE-2017-11108, CVE-2017-11541, CVE-2017-11542
Security: CVE-2017-11543, CVE-2017-12893, CVE-2017-12894
Security: CVE-2017-12895, CVE-2017-12896, CVE-2017-12897
Security: CVE-2017-12898, CVE-2017-12899, CVE-2017-12900
Security: CVE-2017-12901, CVE-2017-12902, CVE-2017-12985
Security: CVE-2017-12986, CVE-2017-12987, CVE-2017-12988
Security: CVE-2017-12989, CVE-2017-12990, CVE-2017-12991
Security: CVE-2017-12992, CVE-2017-12993, CVE-2017-12994
Security: CVE-2017-12995, CVE-2017-12996, CVE-2017-12997
Security: CVE-2017-12998, CVE-2017-12999, CVE-2017-13000
Security: CVE-2017-13001, CVE-2017-13002, CVE-2017-13003
Security: CVE-2017-13004, CVE-2017-13005, CVE-2017-13006
Security: CVE-2017-13007, CVE-2017-13008, CVE-2017-13009
Security: CVE-2017-13010, CVE-2017-13011, CVE-2017-13012
Security: CVE-2017-13013, CVE-2017-13014, CVE-2017-13015
Security: CVE-2017-13016, CVE-2017-13017, CVE-2017-13018
Security: CVE-2017-13019, CVE-2017-13020, CVE-2017-13021
Security: CVE-2017-13022, CVE-2017-13023, CVE-2017-13024
Security: CVE-2017-13025, CVE-2017-13026, CVE-2017-13027
Security: CVE-2017-13028, CVE-2017-13029, CVE-2017-13030
Security: CVE-2017-13031, CVE-2017-13032, CVE-2017-13033
Security: CVE-2017-13034, CVE-2017-13035, CVE-2017-13036
Security: CVE-2017-13037, CVE-2017-13038, CVE-2017-13039
Security: CVE-2017-13040, CVE-2017-13041, CVE-2017-13042
Security: CVE-2017-13043, CVE-2017-13044, CVE-2017-13045
Security: CVE-2017-13046, CVE-2017-13047, CVE-2017-13048
Security: CVE-2017-13049, CVE-2017-13050, CVE-2017-13051
Security: CVE-2017-13052, CVE-2017-13053, CVE-2017-13054
Security: CVE-2017-13055, CVE-2017-13687, CVE-2017-13688
Security: CVE-2017-13689, CVE-2017-13690, CVE-2017-13725
Differential Revision: https://reviews.freebsd.org/D12404
Notes
Notes:
svn path=/head/; revision=326613
Diffstat (limited to 'contrib/tcpdump/print-resp.c')
-rw-r--r-- | contrib/tcpdump/print-resp.c | 24 |
1 files changed, 14 insertions, 10 deletions
diff --git a/contrib/tcpdump/print-resp.c b/contrib/tcpdump/print-resp.c index 9d71e21dcec5..cc7212411377 100644 --- a/contrib/tcpdump/print-resp.c +++ b/contrib/tcpdump/print-resp.c @@ -481,8 +481,10 @@ resp_get_length(netdissect_options *ndo, register const u_char *bp, int len, con ND_TCHECK(*bp); c = *bp; if (!(c >= '0' && c <= '9')) { - if (!saw_digit) + if (!saw_digit) { + bp++; goto invalid; + } break; } c -= '0'; @@ -491,7 +493,7 @@ resp_get_length(netdissect_options *ndo, register const u_char *bp, int len, con too_large = 1; } else { result *= 10; - if (result == INT_MAX && c > (INT_MAX % 10)) { + if (result == ((INT_MAX / 10) * 10) && c > (INT_MAX % 10)) { /* This will overflow an int when we add c */ too_large = 1; } else @@ -501,24 +503,24 @@ resp_get_length(netdissect_options *ndo, register const u_char *bp, int len, con len--; saw_digit = 1; } - if (!saw_digit) - goto invalid; /* - * OK, the next thing should be \r\n. + * OK, we found a non-digit character. It should be a \r, followed + * by a \n. */ - if (len == 0) - goto trunc; - ND_TCHECK(*bp); - if (*bp != '\r') + if (*bp != '\r') { + bp++; goto invalid; + } bp++; len--; if (len == 0) goto trunc; ND_TCHECK(*bp); - if (*bp != '\n') + if (*bp != '\n') { + bp++; goto invalid; + } bp++; len--; *endp = bp; @@ -531,8 +533,10 @@ resp_get_length(netdissect_options *ndo, register const u_char *bp, int len, con return (too_large ? -3 : result); trunc: + *endp = bp; return (-2); invalid: + *endp = bp; return (-5); } |