diff options
| author | sam <sam@FreeBSD.org> | 2005-06-09 15:42:58 +0000 |
|---|---|---|
| committer | sam <sam@FreeBSD.org> | 2005-06-09 15:42:58 +0000 |
| commit | a6836add6eafd2d06f4eeb7200e8217ba3399c1b (patch) | |
| tree | 8e20992bcc0482f19f589c8c4e3ebe1ac3bdc323 /contrib/tcpdump | |
| parent | cbc6e26dd5d6740368f56495e5392bbe9fb7dbae (diff) | |
| download | FreeBSD-src-a6836add6eafd2d06f4eeb7200e8217ba3399c1b.zip FreeBSD-src-a6836add6eafd2d06f4eeb7200e8217ba3399c1b.tar.gz | |
Correct several denial-of-service vulnerabilities in tcpdump.
Security: FreeBSD-SA-05:10.tcpdump
Security: CAN-2005-1267, CAN-2005-1278, CAN-2005-1279, CAN-2005-1280
Obtained from: tcpdump.org
Diffstat (limited to 'contrib/tcpdump')
| -rw-r--r-- | contrib/tcpdump/print-bgp.c | 5 | ||||
| -rw-r--r-- | contrib/tcpdump/print-isoclns.c | 5 | ||||
| -rw-r--r-- | contrib/tcpdump/print-rsvp.c | 13 |
3 files changed, 17 insertions, 6 deletions
diff --git a/contrib/tcpdump/print-bgp.c b/contrib/tcpdump/print-bgp.c index 135ffe3..d1b0271 100644 --- a/contrib/tcpdump/print-bgp.c +++ b/contrib/tcpdump/print-bgp.c @@ -1798,9 +1798,10 @@ bgp_update_print(const u_char *dat, int length) while (dat + length > p) { char buf[MAXHOSTNAMELEN + 100]; i = decode_prefix4(p, buf, sizeof(buf)); - if (i == -1) + if (i == -1) { printf("\n\t (illegal prefix length)"); - else if (i == -2) + break; + } else if (i == -2) goto trunc; else { printf("\n\t %s", buf); diff --git a/contrib/tcpdump/print-isoclns.c b/contrib/tcpdump/print-isoclns.c index 37ecf0b..a35ac95 100644 --- a/contrib/tcpdump/print-isoclns.c +++ b/contrib/tcpdump/print-isoclns.c @@ -1905,6 +1905,9 @@ static int isis_print (const u_int8_t *p, u_int length) tlv_type, tlv_len); + if (tlv_len == 0) /* something is malformed */ + break; + /* now check if we have a decoder otherwise do a hexdump at the end*/ switch (tlv_type) { case ISIS_TLV_AREA_ADDR: @@ -1935,7 +1938,7 @@ static int isis_print (const u_int8_t *p, u_int length) break; case ISIS_TLV_ISNEIGH_VARLEN: - if (!TTEST2(*tptr, 1)) + if (!TTEST2(*tptr, 1) || tmp < 3) /* min. TLV length */ goto trunctlv; lan_alen = *tptr++; /* LAN adress length */ tmp --; diff --git a/contrib/tcpdump/print-rsvp.c b/contrib/tcpdump/print-rsvp.c index 959a620..58da545 100644 --- a/contrib/tcpdump/print-rsvp.c +++ b/contrib/tcpdump/print-rsvp.c @@ -558,7 +558,7 @@ rsvp_obj_print (const u_char *tptr, const char *ident, u_int tlen) { rsvp_obj_ctype=rsvp_obj_header->ctype; if(rsvp_obj_len % 4 || rsvp_obj_len < sizeof(struct rsvp_object_header)) { - printf("ERROR: object header too short %u < %lu", rsvp_obj_len, + printf("%sERROR: object header too short %u < %lu", ident, rsvp_obj_len, (unsigned long)sizeof(const struct rsvp_object_header)); return -1; } @@ -883,11 +883,18 @@ rsvp_obj_print (const u_char *tptr, const char *ident, u_int tlen) { switch(rsvp_obj_ctype) { case RSVP_CTYPE_IPV4: while(obj_tlen >= 4 ) { - printf("%s Subobject Type: %s", + printf("%s Subobject Type: %s, length %u", ident, tok2str(rsvp_obj_xro_values, "Unknown %u", - RSVP_OBJ_XRO_MASK_SUBOBJ(*obj_tptr))); + RSVP_OBJ_XRO_MASK_SUBOBJ(*obj_tptr)), + *(obj_tptr+1)); + + if (*(obj_tptr+1) == 0) { /* prevent infinite loops */ + printf("%s ERROR: zero length ERO subtype",ident); + break; + } + switch(RSVP_OBJ_XRO_MASK_SUBOBJ(*obj_tptr)) { case RSVP_OBJ_XRO_IPV4: printf(", %s, %s/%u, Flags: [%s]", |
