aboutsummaryrefslogtreecommitdiff
path: root/net/tcpdump
diff options
context:
space:
mode:
authorSimon L. B. Nielsen <simon@FreeBSD.org>2005-06-20 08:12:35 +0000
committerSimon L. B. Nielsen <simon@FreeBSD.org>2005-06-20 08:12:35 +0000
commit84cf2c81f7bd02471759cce09eb9f6a75fd2c69c (patch)
tree1d802ceb569d5aa667da63f1b93c286d016aec7e /net/tcpdump
parent03f5436f6e347f1e10f0f60e42d1e3c95a04cc70 (diff)
Fix infinite loop DoS vulnerabilities.
Security: FreeBSD-SA-05:10.tcpdump Security: http://vuxml.FreeBSD.org/9fae0f1f-df82-11d9-b875-0001020eed82.html Security: CAN-2005-1267, CAN-2005-1278, CAN-2005-1279, CAN-2005-1280 Approved by: bms (maintainer)
Notes
Notes: svn path=/head/; revision=137753
Diffstat (limited to 'net/tcpdump')
-rw-r--r--net/tcpdump/Makefile2
-rw-r--r--net/tcpdump/files/patch-infinite-loop-dos99
2 files changed, 100 insertions, 1 deletions
diff --git a/net/tcpdump/Makefile b/net/tcpdump/Makefile
index bc4b2dee40b9..23823ad0f7e5 100644
--- a/net/tcpdump/Makefile
+++ b/net/tcpdump/Makefile
@@ -7,7 +7,7 @@
PORTNAME= tcpdump
PORTVERSION= 3.8.3
-PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= net
MASTER_SITES= http://www.tcpdump.org/release/
DISTNAME= ${PORTNAME}-${PORTVERSION}
diff --git a/net/tcpdump/files/patch-infinite-loop-dos b/net/tcpdump/files/patch-infinite-loop-dos
new file mode 100644
index 000000000000..ad0372cdcd8e
--- /dev/null
+++ b/net/tcpdump/files/patch-infinite-loop-dos
@@ -0,0 +1,99 @@
+Index: print-bgp.c
+===================================================================
+RCS file: /home/ncvs/src/print-bgp.c,v
+retrieving revision 1.1.1.5
+diff -u -d -r1.1.1.5 print-bgp.c
+--- print-bgp.c 31 Mar 2004 09:16:43 -0000 1.1.1.5
++++ print-bgp.c 30 May 2005 21:03:44 -0000
+@@ -1216,6 +1216,8 @@
+ tptr = pptr + len;
+ break;
+ }
++ if (advance < 0) /* infinite loop protection */
++ break;
+ tptr += advance;
+ }
+ break;
+@@ -1646,9 +1648,10 @@
+ while (dat + length > p) {
+ char buf[MAXHOSTNAMELEN + 100];
+ i = decode_prefix4(p, buf, sizeof(buf));
+- if (i == -1)
++ if (i == -1) {
+ printf("\n\t (illegal prefix length)");
+- else if (i == -2)
++ break;
++ } else if (i == -2)
+ goto trunc;
+ else {
+ printf("\n\t %s", buf);
+Index: print-isoclns.c
+===================================================================
+RCS file: /home/ncvs/src/print-isoclns.c,v
+retrieving revision 1.12
+diff -u -d -r1.12 print-isoclns.c
+--- print-isoclns.c 31 Mar 2004 14:57:24 -0000 1.12
++++ print-isoclns.c 22 May 2005 21:49:06 -0000
+@@ -1508,6 +1508,9 @@
+ tlv_type,
+ tlv_len);
+
++ if (tlv_len == 0) /* something is malformed */
++ break;
++
+ /* now check if we have a decoder otherwise do a hexdump at the end*/
+ switch (tlv_type) {
+ case TLV_AREA_ADDR:
+@@ -1538,7 +1541,7 @@
+ break;
+
+ case TLV_ISNEIGH_VARLEN:
+- if (!TTEST2(*tptr, 1))
++ if (!TTEST2(*tptr, 1) || tmp < 3) /* min. TLV length */
+ goto trunctlv;
+ lan_alen = *tptr++; /* LAN adress length */
+ tmp --;
+Index: print-ldp.c
+===================================================================
+RCS file: /home/ncvs/src/print-ldp.c,v
+retrieving revision 1.1.1.1
+diff -u -d -r1.1.1.1 print-ldp.c
+--- print-ldp.c 31 Mar 2004 09:16:56 -0000 1.1.1.1
++++ print-ldp.c 30 May 2005 21:11:28 -0000
+@@ -326,6 +326,9 @@
+ EXTRACT_32BITS(&ldp_msg_header->id),
+ LDP_MASK_U_BIT(EXTRACT_16BITS(&ldp_msg_header->type)) ? "continue processing" : "ignore");
+
++ if (msg_len == 0) /* infinite loop protection */
++ break;
++
+ msg_tptr=tptr+sizeof(struct ldp_msg_header);
+ msg_tlen=msg_len-sizeof(struct ldp_msg_header)+4; /* Type & Length fields not included */
+
+Index: print-rsvp.c
+===================================================================
+RCS file: /home/ncvs/src/print-rsvp.c,v
+retrieving revision 1.1.1.1
+diff -u -d -r1.1.1.1 print-rsvp.c
+--- print-rsvp.c 31 Mar 2004 09:17:07 -0000 1.1.1.1
++++ print-rsvp.c 21 May 2005 20:13:29 -0000
+@@ -875,10 +875,17 @@
+ switch(rsvp_obj_ctype) {
+ case RSVP_CTYPE_IPV4:
+ while(obj_tlen >= 4 ) {
+- printf("\n\t Subobject Type: %s",
++ printf("\n\t Subobject Type: %s, length %u",
+ tok2str(rsvp_obj_xro_values,
+ "Unknown %u",
+- RSVP_OBJ_XRO_MASK_SUBOBJ(*obj_tptr)));
++ RSVP_OBJ_XRO_MASK_SUBOBJ(*obj_tptr)),
++ *(obj_tptr+1));
++
++ if (*(obj_tptr+1) == 0) { /* prevent infinite loops */
++ printf("\n\t ERROR: zero length ERO subtype");
++ break;
++ }
++
+ switch(RSVP_OBJ_XRO_MASK_SUBOBJ(*obj_tptr)) {
+ case RSVP_OBJ_XRO_IPV4:
+ printf(", %s, %s/%u, Flags: [%s]",