tcpdump

Soren Jacobsen Sun, 21 Jun 2009 14:26:57 -0700

Module Name:    src
Committed By:   snj
Date:           Sun Jun 21 21:26:41 UTC 2009


Modified Files:
        src/dist/tcpdump [netbsd-4-0]: print-bgp.c print-isoclns.c print-ldp.c
            print-rsvp.c

Log Message:
Apply patch (requested by tonnerre in ticket #1329):
Fix CAN-2005-1278, CAN-2005-1279 and CAN-2005-1280.


To generate a diff of this commit:
cvs rdiff -u -r1.5.14.1 -r1.5.14.2 src/dist/tcpdump/print-bgp.c
cvs rdiff -u -r1.6.14.1 -r1.6.14.2 src/dist/tcpdump/print-isoclns.c
cvs rdiff -u -r1.1.1.1 -r1.1.1.1.14.1 src/dist/tcpdump/print-ldp.c \
    src/dist/tcpdump/print-rsvp.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/dist/tcpdump/print-bgp.c
diff -u src/dist/tcpdump/print-bgp.c:1.5.14.1 src/dist/tcpdump/print-bgp.c:1.5.14.2
--- src/dist/tcpdump/print-bgp.c:1.5.14.1	Mon Apr 14 21:03:49 2008
+++ src/dist/tcpdump/print-bgp.c	Sun Jun 21 21:26:41 2009
@@ -1,4 +1,4 @@
-/*	$NetBSD: print-bgp.c,v 1.5.14.1 2008/04/14 21:03:49 jdc Exp $	*/
+/*	$NetBSD: print-bgp.c,v 1.5.14.2 2009/06/21 21:26:41 snj Exp $	*/
 
 /*
  * Copyright (C) 1999 WIDE Project.
@@ -42,7 +42,7 @@
 static const char rcsid[] _U_ =
      "@(#) Header: /tcpdump/master/tcpdump/print-bgp.c,v 1.72.2.4 2004/03/24 00:04:04 guy Exp";
 #else
-__RCSID("$NetBSD: print-bgp.c,v 1.5.14.1 2008/04/14 21:03:49 jdc Exp $");
+__RCSID("$NetBSD: print-bgp.c,v 1.5.14.2 2009/06/21 21:26:41 snj Exp $");
 #endif
 #endif
 
@@ -1254,6 +1254,8 @@
                             tptr = pptr + len;
                             break;
 			}
+                        if (advance < 0) /* infinite loop protection */
+                            break;
 			tptr += advance;
 		}
 		break;
@@ -1684,9 +1686,10 @@
 		while (dat + length > p) {
 			char buf[MAXHOSTNAMELEN + 100];
 			i = decode_prefix4(p, buf, sizeof(buf));
-			if (i == -1)
+			if (i == -1) {
 				printf("\n\t    (illegal prefix length)");
-			else if (i == -2)
+				break;
+			} else if (i == -2)
 				goto trunc;
 			else {
 				printf("\n\t    %s", buf);

Index: src/dist/tcpdump/print-isoclns.c
diff -u src/dist/tcpdump/print-isoclns.c:1.6.14.1 src/dist/tcpdump/print-isoclns.c:1.6.14.2
--- src/dist/tcpdump/print-isoclns.c:1.6.14.1	Mon Apr 14 21:03:49 2008
+++ src/dist/tcpdump/print-isoclns.c	Sun Jun 21 21:26:41 2009
@@ -1,4 +1,4 @@
-/*	$NetBSD: print-isoclns.c,v 1.6.14.1 2008/04/14 21:03:49 jdc Exp $	*/
+/*	$NetBSD: print-isoclns.c,v 1.6.14.2 2009/06/21 21:26:41 snj Exp $	*/
 
 /*
  * Copyright (c) 1992, 1993, 1994, 1995, 1996
@@ -32,7 +32,7 @@
 static const char rcsid[] _U_ =
     "@(#) Header: /tcpdump/master/tcpdump/print-isoclns.c,v 1.106.2.5 2004/03/24 01:45:26 guy Exp (LBL)";
 #else
-__RCSID("$NetBSD: print-isoclns.c,v 1.6.14.1 2008/04/14 21:03:49 jdc Exp $");
+__RCSID("$NetBSD: print-isoclns.c,v 1.6.14.2 2009/06/21 21:26:41 snj Exp $");
 #endif
 #endif
 
@@ -1522,6 +1522,9 @@
 	if (tlv_len == 0) /* something is malformed */
 	    continue;
 
+        if (tlv_len == 0) /* something is malformed */
+            break;
+
         /* now check if we have a decoder otherwise do a hexdump at the end*/
 	switch (tlv_type) {
 	case TLV_AREA_ADDR:

Index: src/dist/tcpdump/print-ldp.c
diff -u src/dist/tcpdump/print-ldp.c:1.1.1.1 src/dist/tcpdump/print-ldp.c:1.1.1.1.14.1
--- src/dist/tcpdump/print-ldp.c:1.1.1.1	Mon Sep 27 17:07:12 2004
+++ src/dist/tcpdump/print-ldp.c	Sun Jun 21 21:26:41 2009
@@ -1,4 +1,4 @@
-/*	$NetBSD: print-ldp.c,v 1.1.1.1 2004/09/27 17:07:12 dyoung Exp $	*/
+/*	$NetBSD: print-ldp.c,v 1.1.1.1.14.1 2009/06/21 21:26:41 snj Exp $	*/
 
 /*
  * Redistribution and use in source and binary forms, with or without
@@ -328,6 +328,9 @@
                EXTRACT_32BITS(&ldp_msg_header->id),
                LDP_MASK_U_BIT(EXTRACT_16BITS(&ldp_msg_header->type)) ? "continue processing" : "ignore");
 
+        if (msg_len == 0) /* infinite loop protection */
+            break;
+
         msg_tptr=tptr+sizeof(struct ldp_msg_header);
         msg_tlen=msg_len-sizeof(struct ldp_msg_header)+4; /* Type & Length fields not included */
 
Index: src/dist/tcpdump/print-rsvp.c
diff -u src/dist/tcpdump/print-rsvp.c:1.1.1.1 src/dist/tcpdump/print-rsvp.c:1.1.1.1.14.1
--- src/dist/tcpdump/print-rsvp.c:1.1.1.1	Mon Sep 27 17:07:24 2004
+++ src/dist/tcpdump/print-rsvp.c	Sun Jun 21 21:26:41 2009
@@ -1,4 +1,4 @@
-/*	$NetBSD: print-rsvp.c,v 1.1.1.1 2004/09/27 17:07:24 dyoung Exp $	*/
+/*	$NetBSD: print-rsvp.c,v 1.1.1.1.14.1 2009/06/21 21:26:41 snj Exp $	*/
 
 /*
  * Redistribution and use in source and binary forms, with or without
@@ -877,10 +877,17 @@
             switch(rsvp_obj_ctype) {
             case RSVP_CTYPE_IPV4:
                 while(obj_tlen >= 4 ) {
-                    printf("\n\t    Subobject Type: %s",
+                    printf("\n\t    Subobject Type: %s, length %u",
                            tok2str(rsvp_obj_xro_values,
                                    "Unknown %u",
-                                   RSVP_OBJ_XRO_MASK_SUBOBJ(*obj_tptr)));                
+                                   RSVP_OBJ_XRO_MASK_SUBOBJ(*obj_tptr)),
+                           *(obj_tptr+1));                
+
+                    if (*(obj_tptr+1) == 0) { /* prevent infinite loops */
+                        printf("\n\t      ERROR: zero length ERO subtype");
+                        break;
+                    }
+
                     switch(RSVP_OBJ_XRO_MASK_SUBOBJ(*obj_tptr)) {
                     case RSVP_OBJ_XRO_IPV4:
                         printf(", %s, %s/%u, Flags: [%s]",

CVS commit: [netbsd-4-0] src/dist/tcpdump

Reply via email to