Correct several denial-of-service vulnerabilities in tcpdump.

Security: FreeBSD-SA-05:10.tcpdump Security: CAN-2005-1267, CAN-2005-1278, CAN-2005-1279, CAN-2005-1280 Obtained from: tcpdump.org
author: sam <sam@FreeBSD.org> 2005-06-09 15:42:58 +0000
committer: sam <sam@FreeBSD.org> 2005-06-09 15:42:58 +0000
commit: a6836add6eafd2d06f4eeb7200e8217ba3399c1b (patch)
tree: 8e20992bcc0482f19f589c8c4e3ebe1ac3bdc323 /contrib/tcpdump/print-isoclns.c
parent: cbc6e26dd5d6740368f56495e5392bbe9fb7dbae (diff)
download: FreeBSD-src-a6836add6eafd2d06f4eeb7200e8217ba3399c1b.zip
FreeBSD-src-a6836add6eafd2d06f4eeb7200e8217ba3399c1b.tar.gz
1 files changed, 4 insertions, 1 deletions
diff --git a/contrib/tcpdump/print-isoclns.c b/contrib/tcpdump/print-isoclns.c
index 37ecf0b..a35ac95 100644
--- a/contrib/tcpdump/print-isoclns.c
+++ b/contrib/tcpdump/print-isoclns.c
@@ -1905,6 +1905,9 @@ static int isis_print (const u_int8_t *p, u_int length)
                tlv_type,
                tlv_len);
 
+        if (tlv_len == 0) /* something is malformed */
+            break;
+
         /* now check if we have a decoder otherwise do a hexdump at the end*/
 	switch (tlv_type) {
 	case ISIS_TLV_AREA_ADDR:
@@ -1935,7 +1938,7 @@ static int isis_print (const u_int8_t *p, u_int length)
 	    break;
 
         case ISIS_TLV_ISNEIGH_VARLEN:
-            if (!TTEST2(*tptr, 1))
+            if (!TTEST2(*tptr, 1) || tmp < 3) /* min. TLV length */
 		goto trunctlv;
 	    lan_alen = *tptr++; /* LAN adress length */
             tmp --;
author	sam <sam@FreeBSD.org>	2005-06-09 15:42:58 +0000
committer	sam <sam@FreeBSD.org>	2005-06-09 15:42:58 +0000
commit	a6836add6eafd2d06f4eeb7200e8217ba3399c1b (patch)
tree	8e20992bcc0482f19f589c8c4e3ebe1ac3bdc323 /contrib/tcpdump/print-isoclns.c
parent	cbc6e26dd5d6740368f56495e5392bbe9fb7dbae (diff)
download	FreeBSD-src-a6836add6eafd2d06f4eeb7200e8217ba3399c1b.zip FreeBSD-src-a6836add6eafd2d06f4eeb7200e8217ba3399c1b.tar.gz