On Mon, Mar 10, 2003 at 10:30:47AM -0800, Bill Fenner wrote:
>
> >Do these security problems also affect tcpdump 3.6.2?
>
> Very likely, yes.
>
> >If yes, do you have plans on a new release for 3.6.x?
>
> Not at this time. We should be focusing on the 3.8 release.
> I think a 3.6.x release now would be misleading, since we don't
> have time to comb through all the security fixes that were in
> 3.7, so I think it'd be better to declare the 3.6 branch dead.
> (After all, 3.7.1 is over a year old at this point.)
>
Ok. Just in case, I'm attaching a backport to 3.6.2 of what I
found as being the latest security fixes (from 3.7.2)... Maybe
it's useful to someone else. :) (I also have afsprintting.patch
and snaplen.patch being applied to 3.6.2).
The diff is against the "tcpdump_3_6rel3" CVS tag and
is not tested yet.
--
Ademar de Souza Reis Jr. <[EMAIL PROTECTED]>
^[:wq!
Index: parsenfsfh.c
===================================================================
RCS file: /tcpdump/master/tcpdump/parsenfsfh.c,v
retrieving revision 1.18
diff -u -r1.18 parsenfsfh.c
--- parsenfsfh.c 1 Jul 2000 03:39:00 -0000 1.18
+++ parsenfsfh.c 10 Mar 2003 20:36:47 -0000
@@ -378,7 +378,7 @@
/* Save the actual handle, so it can be display with -u */
for (i = 0; i < 32; i++)
- (void)sprintf(&(fsidp->Opaque_Handle[i*2]), "%.2X", fhp[i]);
+ (void)snprintf(&(fsidp->Opaque_Handle[i*2]), 3, "%.2X", fhp[i]);
fsidp->fsid_code = 0;
fsidp->Fsid_dev.Minor = 257;
Index: print-bgp.c
===================================================================
RCS file: /tcpdump/master/tcpdump/print-bgp.c,v
retrieving revision 1.21
diff -u -r1.21 print-bgp.c
--- print-bgp.c 5 Dec 2000 05:48:35 -0000 1.21
+++ print-bgp.c 10 Mar 2003 20:36:48 -0000
@@ -466,11 +466,19 @@
switch (af) {
case AFNUM_INET:
advance = decode_prefix4(p, buf, sizeof(buf));
+ if (advance < 0) {
+ p = dat + len;
+ break;
+ }
printf(" %s", buf);
break;
#ifdef INET6
case AFNUM_INET6:
advance = decode_prefix6(p, buf, sizeof(buf));
+ if (advance < 0) {
+ p = dat + len;
+ break;
+ }
printf(" %s", buf);
break;
#endif
@@ -502,11 +510,19 @@
switch (af) {
case AFNUM_INET:
advance = decode_prefix4(p, buf, sizeof(buf));
+ if (advance < 0) {
+ p = dat + len;
+ break;
+ }
printf(" %s", buf);
break;
#ifdef INET6
case AFNUM_INET6:
advance = decode_prefix6(p, buf, sizeof(buf));
+ if (advance < 0) {
+ p = dat + len;
+ break;
+ }
printf(" %s", buf);
break;
#endif
@@ -592,6 +608,7 @@
printf(" (Withdrawn routes: %d bytes)", len);
#else
char buf[MAXHOSTNAMELEN + 100];
+ int wpfx;
TCHECK2(p[2], len);
i = 2;
@@ -599,7 +616,10 @@
printf(" (Withdrawn routes:");
while(i < 2 + len) {
- i += decode_prefix4(&p[i], buf, sizeof(buf));
+ wpfx = decode_prefix4(&p[i], buf, sizeof(buf));
+ if (wpfx < 0)
+ break;
+ i += wpfx;
printf(" %s", buf);
}
printf(")\n");
@@ -660,9 +680,9 @@
while (dat + length > p) {
char buf[MAXHOSTNAMELEN + 100];
i = decode_prefix4(p, buf, sizeof(buf));
- printf(" %s", buf);
if (i < 0)
break;
+ printf(" %s", buf);
p += i;
}
Index: print-isakmp.c
===================================================================
RCS file: /tcpdump/master/tcpdump/print-isakmp.c,v
retrieving revision 1.26
diff -u -r1.26 print-isakmp.c
--- print-isakmp.c 12 Dec 2000 09:20:26 -0000 1.26
+++ print-isakmp.c 10 Mar 2003 20:36:50 -0000
@@ -1033,6 +1033,7 @@
{
u_char *cp;
struct isakmp_gen e;
+ u_int item_len;
cp = (u_char *)ext;
safememcpy(&e, ext, sizeof(e));
@@ -1041,7 +1042,16 @@
cp = (*NPFUNC(np))(ext, ep, phase, doi, proto);
else {
printf("%s", NPSTR(np));
- cp += ntohs(e.len);
+ item_len = ntohs(e.len);
+ if (item_len == 0) {
+ /*
+ * We don't want to loop forever processing this
+ * bogus (zero-length) item; return NULL so that
+ * we stop dissecting.
+ */
+ cp = NULL;
+ } else
+ cp += item_len;
}
return cp;
}
@@ -1073,6 +1083,11 @@
cp = isakmp_sub0_print(np, ext, ep, phase, doi, proto);
printf(")");
depth--;
+
+ if (cp == NULL) {
+ /* Zero-length subitem */
+ return NULL;
+ }
np = e.np;
ext = (struct isakmp_gen *)cp;
