tcpdump: fix crash with invalid usb packets

Jasper Lievisse Adriaanse Fri, 21 Feb 2020 16:44:22 -0800

Hi,

When using -X/-x/-A with tcpdump on a packet where sizeof(*uph) is larger than
'length' we end up passing a negative value as the length to default_print(),
which wraps around and suddenly we're attempting to print 4294976281 elements.
Found with AFL.


OK?

Index: print-usbpcap.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-usbpcap.c,v
retrieving revision 1.2
diff -u -p -r1.2 print-usbpcap.c
--- print-usbpcap.c     12 Feb 2020 20:07:55 -0000      1.2
+++ print-usbpcap.c     21 Feb 2020 16:11:45 -0000
@@ -40,7 +40,7 @@ usbpcap_if_print(u_char *user, const str
        ts_print(&h->ts);
 
        /* check length */
-       if (caplen < sizeof(uint16_t))
+       if (caplen < sizeof(uint16_t) || length < sizeof(*uph))
                goto trunc;
 
        uph = (struct usbpcap_pkt_hdr *)p;
-- 
jasper

tcpdump: fix crash with invalid usb packets

Reply via email to