tcpdump-CVE-2007-3798.patch

   1 ===================================================================
   2 RCS file: /tcpdump/master/tcpdump/print-bgp.c,v
   3 retrieving revision 1.91.2.11
   4 retrieving revision 1.91.2.12
   5 diff -u -r1.91.2.11 -r1.91.2.12
   6 --- tcpdump/print-bgp.c 2007/02/26 13:31:33     1.91.2.11
   7 +++ tcpdump/print-bgp.c 2007/07/14 22:26:35     1.91.2.12
   8 @@ -36,7 +36,7 @@
   9
  10  #ifndef lint
  11  static const char rcsid[] _U_ =
  12 -     "@(#) $Header$";
  13 +     "@(#) $Header$";
  14  #endif
  15
  16  #include <tcpdump-stdinc.h>
  17 @@ -609,6 +609,26 @@
  18         return -2;
  19  }
  20
  21 +/*
  22 + * As I remember, some versions of systems have an snprintf() that
  23 + * returns -1 if the buffer would have overflowed.  If the return
  24 + * value is negative, set buflen to 0, to indicate that we've filled
  25 + * the buffer up.
  26 + *
  27 + * If the return value is greater than buflen, that means that
  28 + * the buffer would have overflowed; again, set buflen to 0 in
  29 + * that case.
  30 + */
  31 +#define UPDATE_BUF_BUFLEN(buf, buflen, strlen) \
  32 +    if (strlen<0) \
  33 +               buflen=0; \
  34 +    else if ((u_int)strlen>buflen) \
  35 +        buflen=0; \
  36 +    else { \
  37 +        buflen-=strlen; \
  38 +       buf+=strlen; \
  39 +    }
  40 +
  41  static int
  42  decode_labeled_vpn_l2(const u_char *pptr, char *buf, u_int buflen)
  43  {
  44 @@ -619,11 +639,13 @@
  45          tlen=plen;
  46          pptr+=2;
  47         TCHECK2(pptr[0],15);
  48 +       buf[0]='\0';
  49          strlen=snprintf(buf, buflen, "RD: %s, CE-ID: %u, Label-Block Offset: %u, Label Base %u",
  50                          bgp_vpn_rd_print(pptr),
  51                          EXTRACT_16BITS(pptr+8),
  52                          EXTRACT_16BITS(pptr+10),
  53                          EXTRACT_24BITS(pptr+12)>>4); /* the label is offsetted by 4 bits so lets shift it right */
  54 +        UPDATE_BUF_BUFLEN(buf, buflen, strlen);
  55          pptr+=15;
  56          tlen-=15;
  57
  58 @@ -639,23 +661,32 @@
  59
  60              switch(tlv_type) {
  61              case 1:
  62 -                strlen+=snprintf(buf+strlen,buflen-strlen, "\n\t\tcircuit status vector (%u) length: %u: 0x",
  63 -                                 tlv_type,
  64 -                                 tlv_len);
  65 +                if (buflen!=0) {
  66 +                    strlen=snprintf(buf,buflen, "\n\t\tcircuit status vector (%u) length: %u: 0x",
  67 +                                    tlv_type,
  68 +                                    tlv_len);
  69 +                    UPDATE_BUF_BUFLEN(buf, buflen, strlen);
  70 +                }
  71                  ttlv_len=ttlv_len/8+1; /* how many bytes do we need to read ? */
  72                  while (ttlv_len>0) {
  73                      TCHECK(pptr[0]);
  74 -                    strlen+=snprintf(buf+strlen,buflen-strlen, "%02x",*pptr++);
  75 +                    if (buflen!=0) {
  76 +                        strlen=snprintf(buf,buflen, "%02x",*pptr++);
  77 +                        UPDATE_BUF_BUFLEN(buf, buflen, strlen);
  78 +                    }
  79                      ttlv_len--;
  80                  }
  81                  break;
  82              default:
  83 -                snprintf(buf+strlen,buflen-strlen, "\n\t\tunknown TLV #%u, length: %u",
  84 -                         tlv_type,
  85 -                         tlv_len);
  86 +                if (buflen!=0) {
  87 +                    strlen=snprintf(buf,buflen, "\n\t\tunknown TLV #%u, length: %u",
  88 +                                    tlv_type,
  89 +                                    tlv_len);
  90 +                    UPDATE_BUF_BUFLEN(buf, buflen, strlen);
  91 +                }
  92                  break;
  93              }
  94 -            tlen-=(tlv_len<<3); /* the tlv-length is expressed in bits so lets shift it tright */
  95 +            tlen-=(tlv_len<<3); /* the tlv-length is expressed in bits so lets shift it right */
  96          }
  97          return plen+2;
  98