Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 58223 Details for
Bug 90541
net-analyzer/tcpdump: TCPDump {ISIS|RSVP|LDP|BGP} Decoding Routines Denial Of Service Vulnerability
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
tcpdump-3.8.3-gentoo.patch
tcpdump-3.8.3-gentoo.patch (text/plain), 3.91 KB, created by
Marcelo Goes (RETIRED)
on 2005-05-06 13:59:03 UTC
(
hide
)
Description:
tcpdump-3.8.3-gentoo.patch
Filename:
MIME Type:
Creator:
Marcelo Goes (RETIRED)
Created:
2005-05-06 13:59:03 UTC
Size:
3.91 KB
patch
obsolete
>diff --exclude='*~' -Naur tcpdump-3.8.3.orig/print-bgp.c tcpdump-3.8.3/print-bgp.c >--- tcpdump-3.8.3.orig/print-bgp.c 2005-05-06 17:41:55.000000000 -0300 >+++ tcpdump-3.8.3/print-bgp.c 2005-05-06 17:45:08.000000000 -0300 >@@ -1216,6 +1216,8 @@ > tptr = pptr + len; > break; > } >+ if (advance < 0) /* infinite loop protection */ >+ break; > tptr += advance; > } > break; >diff --exclude='*~' -Naur tcpdump-3.8.3.orig/print-isoclns.c tcpdump-3.8.3/print-isoclns.c >--- tcpdump-3.8.3.orig/print-isoclns.c 2005-05-06 17:41:55.000000000 -0300 >+++ tcpdump-3.8.3/print-isoclns.c 2005-05-06 17:53:57.000000000 -0300 >@@ -1250,11 +1250,11 @@ > break; > case L1_CSNP: > case L2_CSNP: >- printf(", src-id %s", isis_print_id(header_csnp->source_id,SYSTEM_ID_LEN)); >+ printf(", src-id %s", isis_print_id(header_csnp->source_id,NODE_ID_LEN)); > break; > case L1_PSNP: > case L2_PSNP: >- printf(", src-id %s", isis_print_id(header_psnp->source_id,SYSTEM_ID_LEN)); >+ printf(", src-id %s", isis_print_id(header_psnp->source_id,NODE_ID_LEN)); > break; > > } >@@ -1506,6 +1506,9 @@ > tlv_type, > tlv_len); > >+ if (tlv_len == 0) /* something is malformed */ >+ break; >+ > /* now check if we have a decoder otherwise do a hexdump at the end*/ > switch (tlv_type) { > case TLV_AREA_ADDR: >@@ -1536,7 +1539,7 @@ > break; > > case TLV_ISNEIGH_VARLEN: >- if (!TTEST2(*tptr, 1)) >+ if (!TTEST2(*tptr, 1) || tmp < 3) /* min. TLV length */ > goto trunctlv; > lan_alen = *tptr++; /* LAN adress length */ > tmp --; >diff --exclude='*~' -Naur tcpdump-3.8.3.orig/print-ldp.c tcpdump-3.8.3/print-ldp.c >--- tcpdump-3.8.3.orig/print-ldp.c 2005-05-06 17:41:55.000000000 -0300 >+++ tcpdump-3.8.3/print-ldp.c 2005-05-06 17:49:09.000000000 -0300 >@@ -326,6 +326,9 @@ > EXTRACT_32BITS(&ldp_msg_header->id), > LDP_MASK_U_BIT(EXTRACT_16BITS(&ldp_msg_header->type)) ? "continue processing" : "ignore"); > >+ if (msg_len == 0) /* infinite loop protection */ >+ break; >+ > msg_tptr=tptr+sizeof(struct ldp_msg_header); > msg_tlen=msg_len-sizeof(struct ldp_msg_header)+4; /* Type & Length fields not included */ > >diff --exclude='*~' -Naur tcpdump-3.8.3.orig/print-rsvp.c tcpdump-3.8.3/print-rsvp.c >--- tcpdump-3.8.3.orig/print-rsvp.c 2005-05-06 17:41:55.000000000 -0300 >+++ tcpdump-3.8.3/print-rsvp.c 2005-05-06 17:51:12.000000000 -0300 >@@ -875,10 +875,17 @@ > switch(rsvp_obj_ctype) { > case RSVP_CTYPE_IPV4: > while(obj_tlen >= 4 ) { >- printf("\n\t Subobject Type: %s", >+ printf("\n\t Subobject Type: %s, length %u", > tok2str(rsvp_obj_xro_values, > "Unknown %u", >- RSVP_OBJ_XRO_MASK_SUBOBJ(*obj_tptr))); >+ RSVP_OBJ_XRO_MASK_SUBOBJ(*obj_tptr)), >+ *(obj_tptr+1)); >+ >+ if (*(obj_tptr+1) == 0) { /* prevent infinite loops */ >+ printf("\n\t ERROR: zero length ERO subtype"); >+ break; >+ } >+ > switch(RSVP_OBJ_XRO_MASK_SUBOBJ(*obj_tptr)) { > case RSVP_OBJ_XRO_IPV4: > printf(", %s, %s/%u, Flags: [%s]", >@@ -921,8 +928,8 @@ > if (obj_tlen < 8) > return; > printf("\n\t Restart Time: %ums, Recovery Time: %ums", >- EXTRACT_16BITS(obj_tptr), >- EXTRACT_16BITS(obj_tptr+4)); >+ EXTRACT_32BITS(obj_tptr), >+ EXTRACT_32BITS(obj_tptr+4)); > obj_tlen-=8; > obj_tptr+=8; > break;
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 90541
: 58223