[tcpdump-workers] three tiny fixes

Mon, 21 May 2001 12:26:46 -0700 

Hello,
The attached patch fixes two (likely unexploitable) buffer overflows and
imposes a limit on the number of cached names in getname(). Would someone
comit it.

Save yourself,
Nergal
 

--- tcpdump-3.6.2/addrtoname.c.orig     Mon May 21 20:29:27 2001
+++ tcpdump-3.6.2/addrtoname.c  Mon May 21 21:03:52 2001
@@ -175,7 +175,8 @@
        register struct hostent *hp;
        u_int32_t addr;
        static struct hnamemem *p;              /* static for longjmp() */
-
+       struct hnamemem *second;
+       int count=0;
 #ifndef LBL_ALIGN
        addr = *(const u_int32_t *)ap;
 #else
@@ -183,12 +184,22 @@
 #endif
        p = &hnametable[addr & (HASHNAMESIZE-1)];
        for (; p->nxt; p = p->nxt) {
+               count++;
                if (p->addr == addr)
                        return (p->name);
        }
-       p->addr = addr;
-       p->nxt = newhnamemem();
-
+       if (count<GETNAME_MAXCOUNT) {
+               p->addr = addr;
+               p->nxt = newhnamemem();
+       } else {
+               second=hnametable[addr & (HASHNAMESIZE-1)].nxt;
+               free(second->name);
+               hnametable[addr & (HASHNAMESIZE-1)].nxt=second->nxt;
+               second->nxt=0;
+               second->addr=addr;
+               p->nxt = second;
+               p=second;
+       }       
        /*
         * Only print names when:
         *      (1) -n was not given.
@@ -210,7 +221,7 @@
                        if (hp) {
                                char *dotp;
 
-                               p->name = savestr(hp->h_name);
+                               p->name = strdup(hp->h_name);
                                if (Nflag) {
                                        /* Remove domain qualifications */
                                        dotp = strchr(p->name, '.');
@@ -221,7 +232,7 @@
                        }
                }
        }
-       p->name = savestr(intoa(addr));
+       p->name = strdup(intoa(addr));
        return (p->name);
 }
 
--- tcpdump-3.6.2/addrtoname.h.orig     Mon May 21 20:50:13 2001
+++ tcpdump-3.6.2/addrtoname.h  Mon May 21 20:50:42 2001
@@ -40,6 +40,7 @@
 #endif
 
 #define ipaddr_string(p) getname((const u_char *)(p))
+#define GETNAME_MAXCOUNT 20
 #ifdef INET6
 #define ip6addr_string(p) getname6((const u_char *)(p))
 #endif
--- tcpdump-3.6.2/print-atalk.c.orig    Mon Oct 30 06:22:14 2000
+++ tcpdump-3.6.2/print-atalk.c Mon May 21 21:00:10 2001
@@ -510,7 +510,7 @@
 {
        register struct hnamemem *tp, *tp2;
        register int i = (atnet << 8) | athost;
-       char nambuf[MAXHOSTNAMELEN + 20];
+       char nambuf[256 + 20];
        static int first = 1;
        FILE *fp;
 
--- tcpdump-3.6.2/print-dhcp6.c.orig    Tue Oct 24 00:56:50 2000
+++ tcpdump-3.6.2/print-dhcp6.c Mon May 21 20:56:35 2001
@@ -206,7 +206,9 @@
                        break;
                case OT6_STR:
                        memset(&buf, 0, sizeof(buf));
-                       strncpy(buf, &cp[4], len);
+                       if (len<sizeof(buf)-1)
+                               strncpy(buf, &cp[4], len);
+                       else goto trunc;
                        printf("%s", buf);
                        break;
                case OT6_NUM:

Reply via email to