diff options
Diffstat (limited to 'gnu/packages/patches/tcpdump-CVE-2017-11543.patch')
| -rw-r--r-- | gnu/packages/patches/tcpdump-CVE-2017-11543.patch | 79 |
1 files changed, 79 insertions, 0 deletions
diff --git a/gnu/packages/patches/tcpdump-CVE-2017-11543.patch b/gnu/packages/patches/tcpdump-CVE-2017-11543.patch new file mode 100644 index 0000000000..c973503983 --- /dev/null +++ b/gnu/packages/patches/tcpdump-CVE-2017-11543.patch @@ -0,0 +1,79 @@ +Fix CVE-2017-11543: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11543 + +Patch copied from upstream source repository: + +https://github.com/the-tcpdump-group/tcpdump/commit/7039327875525278d17edee59720e29a3e76b7b3 + +From 7039327875525278d17edee59720e29a3e76b7b3 Mon Sep 17 00:00:00 2001 +From: Guy Harris <guy@alum.mit.edu> +Date: Fri, 17 Mar 2017 12:49:04 -0700 +Subject: [PATCH] CVE-2017-11543/Make sure the SLIP direction octet is valid. + +Report if it's not, and don't use it as an out-of-bounds index into an +array. + +This fixes a buffer overflow discovered by Wilfried Kirsch. + +Add a test using the capture file supplied by the reporter(s), modified +so the capture file won't be rejected as an invalid capture. +--- + print-sl.c | 25 +++++++++++++++++++++++-- + tests/TESTLIST | 3 +++ + tests/slip-bad-direction.out | 1 + + tests/slip-bad-direction.pcap | Bin 0 -> 79 bytes + 4 files changed, 27 insertions(+), 2 deletions(-) + create mode 100644 tests/slip-bad-direction.out + create mode 100644 tests/slip-bad-direction.pcap + +diff --git a/print-sl.c b/print-sl.c +index 3fd7e898..a02077b3 100644 +--- a/print-sl.c ++++ b/print-sl.c +@@ -131,8 +131,21 @@ sliplink_print(netdissect_options *ndo, + u_int hlen; + + dir = p[SLX_DIR]; +- ND_PRINT((ndo, dir == SLIPDIR_IN ? "I " : "O ")); ++ switch (dir) { + ++ case SLIPDIR_IN: ++ ND_PRINT((ndo, "I ")); ++ break; ++ ++ case SLIPDIR_OUT: ++ ND_PRINT((ndo, "O ")); ++ break; ++ ++ default: ++ ND_PRINT((ndo, "Invalid direction %d ", dir)); ++ dir = -1; ++ break; ++ } + if (ndo->ndo_nflag) { + /* XXX just dump the header */ + register int i; +@@ -155,13 +168,21 @@ sliplink_print(netdissect_options *ndo, + * has restored the IP header copy to IPPROTO_TCP. + */ + lastconn = ((const struct ip *)&p[SLX_CHDR])->ip_p; ++ ND_PRINT((ndo, "utcp %d: ", lastconn)); ++ if (dir == -1) { ++ /* Direction is bogus, don't use it */ ++ return; ++ } + hlen = IP_HL(ip); + hlen += TH_OFF((const struct tcphdr *)&((const int *)ip)[hlen]); + lastlen[dir][lastconn] = length - (hlen << 2); +- ND_PRINT((ndo, "utcp %d: ", lastconn)); + break; + + default: ++ if (dir == -1) { ++ /* Direction is bogus, don't use it */ ++ return; ++ } + if (p[SLX_CHDR] & TYPE_COMPRESSED_TCP) { + compressed_sl_print(ndo, &p[SLX_CHDR], ip, + length, dir); |