diff options
| author | Guy Harris <guy@alum.mit.edu> | 2017-03-23 14:11:30 -0700 |
|---|---|---|
| committer | Denis Ovsienko <denis@ovsienko.info> | 2017-09-13 12:25:44 +0100 |
| commit | da6f1a677bfa4476abaeaf9b1afe1c4390f51b41 (patch) | |
| tree | c60a2cc08f95e4ffea89ab84d207d3c533f6adbe /print-pgm.c | |
| parent | fe5ad997c499d6a7b033f52dc7581a23959abfd1 (diff) | |
| download | tcpdump-da6f1a677bfa4476abaeaf9b1afe1c4390f51b41.tar.gz | |
CVE-2017-13034/PGM: Add a bounds check.
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.
Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
Move a return to make the code a bit cleaner (i.e., make it more obvious
that if we don't have enough of the PGM header, we just print the source
and destination IP addresses, mark it as incomplete PGM, and don't try
to look at the PGM header).
Diffstat (limited to 'print-pgm.c')
| -rw-r--r-- | print-pgm.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/print-pgm.c b/print-pgm.c index c22b188b..8340f2c3 100644 --- a/print-pgm.c +++ b/print-pgm.c @@ -169,13 +169,12 @@ pgm_print(netdissect_options *ndo, ND_PRINT((ndo, "%s > %s: [|pgm]", ip6addr_string(ndo, &ip6->ip6_src), ip6addr_string(ndo, &ip6->ip6_dst))); - return; } else { ND_PRINT((ndo, "%s > %s: [|pgm]", ipaddr_string(ndo, &ip->ip_src), ipaddr_string(ndo, &ip->ip_dst))); - return; } + return; } sport = EXTRACT_16BITS(&pgm->pgm_sport); @@ -362,6 +361,7 @@ pgm_print(netdissect_options *ndo, * and stopping if we don't have enough. */ bp += (2 * sizeof(uint16_t)); + ND_TCHECK_16BITS(bp); switch (EXTRACT_16BITS(bp)) { case AFNUM_INET: ND_TCHECK2(*bp, sizeof(struct in_addr)); |