[packages/tcpdump.git] / tcpdump-CVE-2007-3798.patch

===================================================================
RCS file: /tcpdump/master/tcpdump/print-bgp.c,v
retrieving revision 1.91.2.11
retrieving revision 1.91.2.12
diff -u -r1.91.2.11 -r1.91.2.12
--- tcpdump/print-bgp.c	2007/02/26 13:31:33	1.91.2.11
+++ tcpdump/print-bgp.c	2007/07/14 22:26:35	1.91.2.12
@@ -609,6 +609,26 @@
 	return -2;
 }
 
+/*
+ * As I remember, some versions of systems have an snprintf() that
+ * returns -1 if the buffer would have overflowed.  If the return
+ * value is negative, set buflen to 0, to indicate that we've filled
+ * the buffer up.
+ *
+ * If the return value is greater than buflen, that means that
+ * the buffer would have overflowed; again, set buflen to 0 in
+ * that case.
+ */
+#define UPDATE_BUF_BUFLEN(buf, buflen, strlen) \
+    if (strlen<0) \
+       	buflen=0; \
+    else if ((u_int)strlen>buflen) \
+        buflen=0; \
+    else { \
+        buflen-=strlen; \
+	buf+=strlen; \
+    }
+
 static int
 decode_labeled_vpn_l2(const u_char *pptr, char *buf, u_int buflen)
 {
@@ -619,11 +639,13 @@
         tlen=plen;
         pptr+=2;
 	TCHECK2(pptr[0],15);
+	buf[0]='\0';
         strlen=snprintf(buf, buflen, "RD: %s, CE-ID: %u, Label-Block Offset: %u, Label Base %u",
                         bgp_vpn_rd_print(pptr),
                         EXTRACT_16BITS(pptr+8),
                         EXTRACT_16BITS(pptr+10),
                         EXTRACT_24BITS(pptr+12)>>4); /* the label is offsetted by 4 bits so lets shift it right */
+        UPDATE_BUF_BUFLEN(buf, buflen, strlen);
         pptr+=15;
         tlen-=15;
 
@@ -639,23 +661,32 @@
 
             switch(tlv_type) {
             case 1:
-                strlen+=snprintf(buf+strlen,buflen-strlen, "\n\t\tcircuit status vector (%u) length: %u: 0x",
-                                 tlv_type,
-                                 tlv_len);
+                if (buflen!=0) {
+                    strlen=snprintf(buf,buflen, "\n\t\tcircuit status vector (%u) length: %u: 0x",
+                                    tlv_type,
+                                    tlv_len);
+                    UPDATE_BUF_BUFLEN(buf, buflen, strlen);
+                }
                 ttlv_len=ttlv_len/8+1; /* how many bytes do we need to read ? */
                 while (ttlv_len>0) {
                     TCHECK(pptr[0]);
-                    strlen+=snprintf(buf+strlen,buflen-strlen, "%02x",*pptr++);
+                    if (buflen!=0) {
+                        strlen=snprintf(buf,buflen, "%02x",*pptr++);
+                        UPDATE_BUF_BUFLEN(buf, buflen, strlen);
+                    }
                     ttlv_len--;
                 }
                 break;
             default:
-                snprintf(buf+strlen,buflen-strlen, "\n\t\tunknown TLV #%u, length: %u",
-                         tlv_type,
-                         tlv_len);
+                if (buflen!=0) {
+                    strlen=snprintf(buf,buflen, "\n\t\tunknown TLV #%u, length: %u",
+                                    tlv_type,
+                                    tlv_len);
+                    UPDATE_BUF_BUFLEN(buf, buflen, strlen);
+                }
                 break;
             }
-            tlen-=(tlv_len<<3); /* the tlv-length is expressed in bits so lets shift it tright */
+            tlen-=(tlv_len<<3); /* the tlv-length is expressed in bits so lets shift it right */
         }
         return plen+2;
Commit	Line	Data
b048a2e8	1	===================================================================
	2	RCS file: /tcpdump/master/tcpdump/print-bgp.c,v
	3	retrieving revision 1.91.2.11
	4	retrieving revision 1.91.2.12
	5	diff -u -r1.91.2.11 -r1.91.2.12
	6	--- tcpdump/print-bgp.c 2007/02/26 13:31:33 1.91.2.11
	7	+++ tcpdump/print-bgp.c 2007/07/14 22:26:35 1.91.2.12
b048a2e8	8	@@ -609,6 +609,26 @@
	9	return -2;
	10	}
	11
	12	+/*
	13	+ * As I remember, some versions of systems have an snprintf() that
	14	+ * returns -1 if the buffer would have overflowed. If the return
	15	+ * value is negative, set buflen to 0, to indicate that we've filled
	16	+ * the buffer up.
	17	+ *
	18	+ * If the return value is greater than buflen, that means that
	19	+ * the buffer would have overflowed; again, set buflen to 0 in
	20	+ * that case.
	21	+ */
	22	+#define UPDATE_BUF_BUFLEN(buf, buflen, strlen) \
	23	+ if (strlen<0) \
	24	+ buflen=0; \
	25	+ else if ((u_int)strlen>buflen) \
	26	+ buflen=0; \
	27	+ else { \
	28	+ buflen-=strlen; \
	29	+ buf+=strlen; \
	30	+ }
	31	+
	32	static int
	33	decode_labeled_vpn_l2(const u_char pptr, char buf, u_int buflen)
	34	{
	35	@@ -619,11 +639,13 @@
	36	tlen=plen;
	37	pptr+=2;
	38	TCHECK2(pptr[0],15);
	39	+ buf[0]='\0';
	40	strlen=snprintf(buf, buflen, "RD: %s, CE-ID: %u, Label-Block Offset: %u, Label Base %u",
	41	bgp_vpn_rd_print(pptr),
	42	EXTRACT_16BITS(pptr+8),
	43	EXTRACT_16BITS(pptr+10),
	44	EXTRACT_24BITS(pptr+12)>>4); /* the label is offsetted by 4 bits so lets shift it right */
	45	+ UPDATE_BUF_BUFLEN(buf, buflen, strlen);
	46	pptr+=15;
	47	tlen-=15;
	48
	49	@@ -639,23 +661,32 @@
	50
	51	switch(tlv_type) {
	52	case 1:
	53	- strlen+=snprintf(buf+strlen,buflen-strlen, "\n\t\tcircuit status vector (%u) length: %u: 0x",
	54	- tlv_type,
	55	- tlv_len);
	56	+ if (buflen!=0) {
	57	+ strlen=snprintf(buf,buflen, "\n\t\tcircuit status vector (%u) length: %u: 0x",
	58	+ tlv_type,
	59	+ tlv_len);
	60	+ UPDATE_BUF_BUFLEN(buf, buflen, strlen);
	61	+ }
	62	ttlv_len=ttlv_len/8+1; /* how many bytes do we need to read ? */
	63	while (ttlv_len>0) {
	64	TCHECK(pptr[0]);
	65	- strlen+=snprintf(buf+strlen,buflen-strlen, "%02x",*pptr++);
	66	+ if (buflen!=0) {
	67	+ strlen=snprintf(buf,buflen, "%02x",*pptr++);
	68	+ UPDATE_BUF_BUFLEN(buf, buflen, strlen);
	69	+ }
	70	ttlv_len--;
	71	}
72	break;
73	default:
74	- snprintf(buf+strlen,buflen-strlen, "\n\t\tunknown TLV #%u, length: %u",
75	- tlv_type,
76	- tlv_len);
77	+ if (buflen!=0) {
78	+ strlen=snprintf(buf,buflen, "\n\t\tunknown TLV #%u, length: %u",
79	+ tlv_type,
80	+ tlv_len);
81	+ UPDATE_BUF_BUFLEN(buf, buflen, strlen);
82	+ }
83	break;
84	}
85	- tlen-=(tlv_len<<3); /* the tlv-length is expressed in bits so lets shift it tright */
86	+ tlen-=(tlv_len<<3); /* the tlv-length is expressed in bits so lets shift it right */
87	}
88	return plen+2;
89