Package: src:tcpdump
Version: 4.6.2-4
Tags: patch
Usertags: origin-ubuntu ubuntu-patch vivid
In Ubuntu, we've applied the attached patch to achieve the following:
* debian/patches/60_cve-2015-2153-fix-regression.diff:
- Fix regression due to 60_cve-2015-2153.diff
We thought you might be interested in doing the same.
Description: RPKI to Router Protocol: Fix Segmentation Faults and other problems.
- Fix/add ND_TCHECK2 tests,
- Fix a buffer overflow,
- Remove a debug printf
Origin: upstream, https://github.com/the-tcpdump-group/tcpdump/commit/fb6e5377f392555b8c725f66b8b701f0061a3695
diff -pruN -x '*~' tcpdump-4.6.2.orig/print-rpki-rtr.c tcpdump-4.6.2/print-rpki-rtr.c
--- tcpdump-4.6.2.orig/print-rpki-rtr.c 2015-03-22 12:55:55.349173971 +0100
+++ tcpdump-4.6.2/print-rpki-rtr.c 2015-03-22 12:49:56.987396951 +0100
@@ -178,7 +178,7 @@ rpki_rtr_pdu_print (netdissect_options *
pdu_header = (rpki_rtr_pdu *)tptr;
pdu_type = pdu_header-pdu_type;
pdu_len = EXTRACT_32BITS(pdu_header-length);
-ND_TCHECK2(tptr, pdu_len);
+ND_TCHECK2(*tptr, pdu_len);
hexdump = FALSE;
ND_PRINT((ndo, %sRPKI-RTRv%u, %s PDU (%u), length: %u,
@@ -255,6 +255,7 @@ rpki_rtr_pdu_print (netdissect_options *
pdu = (rpki_rtr_pdu_error_report *)tptr;
encapsulated_pdu_length = EXTRACT_32BITS(pdu-encapsulated_pdu_length);
+ ND_TCHECK2(*tptr, encapsulated_pdu_length);
tlen = pdu_len;
error_code = EXTRACT_16BITS(pdu-pdu_header.u.error_code);
@@ -287,9 +288,10 @@ rpki_rtr_pdu_print (netdissect_options *
tptr += 4;
tlen -= 4;
}
+ ND_TCHECK2(*tptr, text_length);
if (text_length (text_length = tlen )) {
memcpy(buf, tptr, min(sizeof(buf)-1, text_length));
- buf[text_length] = '\0';
+ buf[min(sizeof(buf) - 1, text_length)] = '\0';
ND_PRINT((ndo, %sError text: %s, indent_string(indent+2), buf));
}
}
@@ -336,13 +338,13 @@ rpki_rtr_print(netdissect_options *ndo,
pdu_header = (rpki_rtr_pdu *)tptr;
pdu_type = pdu_header-pdu_type;
pdu_len = EXTRACT_32BITS(pdu_header-length);
+ ND_TCHECK2(*tptr, pdu_len);
/* infinite loop check */
if (!pdu_type || !pdu_len) {
break;
}
-ND_TCHECK2(*tptr, pdu_len);
if (tlen pdu_len) {
goto trunc;
}