~ubuntu-branches/ubuntu/lucid/tcpdump/lucid-updates

Viewing changes to debian/patches/CVE-2014-8767.patch

Committer: Package Import Robot
Author(s): Marc Deslauriers
Date: 2014-12-03 17:17:23 UTC
Revision ID: package-import@ubuntu.com-20141203171723-lm274az3b1gb3kbc

Tags: 4.0.0-6ubuntu3.1

* SECURITY UPDATE: denial of service and possible code execution in
  olsr_print
  - debian/patches/CVE-2014-8767.patch: improve bounds checking and
    error handling in print-olsr.c.
  - CVE-2014-8767
* SECURITY UPDATE: denial of service and possible code execution in
  print-aodv.c
  - debian/patches/CVE-2014-8769.patch: improve bounds checking and
    length checking in print-aodv.c, aodv.h.
  - CVE-2014-8769
* SECURITY UPDATE: denial of service and possible code execution in
  print-ppp.c
  - debian/patches/CVE-2014-9140.patch: improve bounds checking in
    print-ppp.c.
  - CVE-2014-9140

files added:
.pc/.quilt_patches

.pc/.quilt_series

.pc/CVE-2014-8767.patch

.pc/CVE-2014-8767.patch/print-olsr.c

.pc/CVE-2014-8769.patch

.pc/CVE-2014-8769.patch/aodv.h

.pc/CVE-2014-8769.patch/print-aodv.c

.pc/CVE-2014-9140.patch

.pc/CVE-2014-9140.patch/print-ppp.c

debian/patches/CVE-2014-8767.patch

debian/patches/CVE-2014-8769.patch

debian/patches/CVE-2014-9140.patch

files modified:
.pc/applied-patches

aodv.h

debian/changelog

debian/control

debian/patches/series

print-aodv.c

print-olsr.c

print-ppp.c

Show diffs side-by-side

added added

removed removed

debian/patches/CVE-2014-8767.patch

Backport of:

From 4038f83ebf654804829b258dde5e0a508c1c2003 Mon Sep 17 00:00:00 2001

From: Guy Harris <guy@alum.mit.edu>

Date: Tue, 11 Nov 2014 16:49:39 -0800

Subject: [PATCH] Do more bounds checking and length checking.

Don't run past the end of the captured data, and don't run past the end

of the packet (i.e., don't make the length variable go negative).

Also, stop dissecting if the message length isn't valid.

---

print-olsr.c | 56 +++++++++++++++++++++++++++++++++++++++++++-------------

1 file changed, 43 insertions(+), 13 deletions(-)

Index: tcpdump-4.0.0/print-olsr.c

===================================================================

--- tcpdump-4.0.0.orig/print-olsr.c 2014-12-03 17:06:47.275721894 -0500

+++ tcpdump-4.0.0/print-olsr.c 2014-12-03 17:16:48.016960427 -0500

@@ -157,7 +157,7 @@

* print a neighbor list with LQ extensions.

-static void

+static int

olsr_print_lq_neighbor (const u_char *msg_data, u_int hello_len)

{

struct olsr_lq_neighbor *lq_neighbor;

@@ -165,6 +165,8 @@

while (hello_len >= sizeof(struct olsr_lq_neighbor)) {

lq_neighbor = (struct olsr_lq_neighbor *)msg_data;

+ if (!TTEST(*lq_neighbor))

+ return (-1);

printf("\n\t neighbor %s, link-quality %.2lf%%"

", neighbor-link-quality %.2lf%%",

@@ -175,12 +177,13 @@

msg_data += sizeof(struct olsr_lq_neighbor);

hello_len -= sizeof(struct olsr_lq_neighbor);

}

+ return (0);

}

* print a neighbor list.

-static void

+static int

olsr_print_neighbor (const u_char *msg_data, u_int hello_len)

{

int neighbor;

@@ -190,6 +193,8 @@

while (hello_len >= sizeof(struct in_addr)) {

+ if (!TTEST2(*msg_data, sizeof(struct in_addr)))

+ return (-1);

/* print 4 neighbors per line */

printf("%s%s", ipaddr_string(msg_data),

@@ -198,6 +203,7 @@

msg_data += sizeof(struct in_addr);

hello_len -= sizeof(struct in_addr);

}

+ return (0);

}

@@ -245,6 +251,7 @@

}

while (tptr < (pptr+length)) {

+ int msg_len_valid = 0;

if (!TTEST2(*tptr, sizeof(struct olsr_msg)))

goto trunc;

@@ -253,6 +260,9 @@

msg_type = ptr.msg->msg_type;

msg_len = EXTRACT_16BITS(ptr.msg->msg_len);

+ if ((msg_len >= sizeof (struct olsr_msg))

+ && (msg_len <= length))

+ msg_len_valid = 1;

/* infinite loop check */

if (msg_type == 0 || msg_len == 0) {

@@ -268,6 +278,9 @@

ME_TO_DOUBLE(ptr.msg->vtime),

EXTRACT_16BITS(ptr.msg->msg_seq),

msg_len);

+ if (!msg_len_valid) {

+ return;

+ }

msg_tlen = msg_len - sizeof(struct olsr_msg);

msg_data = tptr + sizeof(struct olsr_msg);

@@ -275,6 +288,8 @@

switch (msg_type) {

100

case OLSR_HELLO_MSG:

101

case OLSR_HELLO_LQ_MSG:

102

+ if (msg_tlen < sizeof(struct olsr_hello))

103

+ goto trunc;

104

if (!TTEST2(*msg_data, sizeof(struct olsr_hello)))

105

goto trunc;

106

107

@@ -307,10 +322,14 @@

108

msg_tlen -= sizeof(struct olsr_hello_link);

109

hello_len -= sizeof(struct olsr_hello_link);

110

111

+ if (!TTEST2(*msg_data, hello_len))

112

+ goto trunc;

113

if (msg_type == OLSR_HELLO_MSG) {

114

- olsr_print_neighbor(msg_data, hello_len);

115

+ if (olsr_print_neighbor(msg_data, hello_len) == -1)

116

+ goto trunc;

117

} else {

118

- olsr_print_lq_neighbor(msg_data, hello_len);

119

+ if (olsr_print_lq_neighbor(msg_data, hello_len) == -1)

120

+ goto trunc;

121

}

122

123

msg_data += hello_len;

124

@@ -320,6 +339,8 @@

125

126

case OLSR_TC_MSG:

127

case OLSR_TC_LQ_MSG:

128

+ if (msg_tlen < sizeof(struct olsr_tc))

129

+ goto trunc;

130

if (!TTEST2(*msg_data, sizeof(struct olsr_tc)))

131

goto trunc;

132

133

@@ -330,9 +351,11 @@

134

msg_tlen -= sizeof(struct olsr_tc);

135

136

if (msg_type == OLSR_TC_MSG) {

137

- olsr_print_neighbor(msg_data, msg_tlen);

138

+ if (olsr_print_neighbor(msg_data, msg_tlen) == -1)

139

+ goto trunc;

140

} else {

141

- olsr_print_lq_neighbor(msg_data, msg_tlen);

142

+ if (olsr_print_lq_neighbor(msg_data, msg_tlen) == -1)

143

+ goto trunc;

144

}

145

break;

146

Older »