]> git.pld-linux.org Git - packages/tcpdump.git/blob - tcpdump-CAN-2005-1279_1280.patch
projects / packages / tcpdump.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
- TODO security
[packages/tcpdump.git] / tcpdump-CAN-2005-1279_1280.patch
1 diff --exclude='*~' -Naur tcpdump-3.8.3.orig/print-bgp.c tcpdump-3.8.3/print-bgp.c
2 --- tcpdump-3.8.3.orig/print-bgp.c      2005-05-06 17:41:55.000000000 -0300
3 +++ tcpdump-3.8.3/print-bgp.c   2005-05-06 17:45:08.000000000 -0300
4 @@ -1216,6 +1216,8 @@
5                              tptr = pptr + len;
6                              break;
7                         }
8 +                        if (advance < 0) /* infinite loop protection */
9 +                            break;
10                         tptr += advance;
11                 }
12                 break;
13 diff --exclude='*~' -Naur tcpdump-3.8.3.orig/print-isoclns.c tcpdump-3.8.3/print-isoclns.c
14 --- tcpdump-3.8.3.orig/print-isoclns.c  2005-05-06 17:41:55.000000000 -0300
15 +++ tcpdump-3.8.3/print-isoclns.c       2005-05-06 17:53:57.000000000 -0300
16 @@ -1250,11 +1250,11 @@
17             break;
18         case L1_CSNP:
19         case L2_CSNP:
20 -           printf(", src-id %s", isis_print_id(header_csnp->source_id,SYSTEM_ID_LEN));
21 +           printf(", src-id %s", isis_print_id(header_csnp->source_id,NODE_ID_LEN));
22             break;
23         case L1_PSNP:
24         case L2_PSNP:
25 -           printf(", src-id %s", isis_print_id(header_psnp->source_id,SYSTEM_ID_LEN));
26 +           printf(", src-id %s", isis_print_id(header_psnp->source_id,NODE_ID_LEN));
27             break;
28  
29         }
30 @@ -1506,6 +1506,9 @@
31                 tlv_type,
32                 tlv_len);
33  
34 +        if (tlv_len == 0) /* something is malformed */
35 +            break;
36 +
37          /* now check if we have a decoder otherwise do a hexdump at the end*/
38         switch (tlv_type) {
39         case TLV_AREA_ADDR:
40 @@ -1536,7 +1539,7 @@
41             break;
42  
43          case TLV_ISNEIGH_VARLEN:
44 -            if (!TTEST2(*tptr, 1))
45 +            if (!TTEST2(*tptr, 1) || tmp < 3) /* min. TLV length */
46                 goto trunctlv;
47             lan_alen = *tptr++; /* LAN adress length */
48              tmp --;
49 diff --exclude='*~' -Naur tcpdump-3.8.3.orig/print-ldp.c tcpdump-3.8.3/print-ldp.c
50 --- tcpdump-3.8.3.orig/print-ldp.c      2005-05-06 17:41:55.000000000 -0300
51 +++ tcpdump-3.8.3/print-ldp.c   2005-05-06 17:49:09.000000000 -0300
52 @@ -326,6 +326,9 @@
53                 EXTRACT_32BITS(&ldp_msg_header->id),
54                 LDP_MASK_U_BIT(EXTRACT_16BITS(&ldp_msg_header->type)) ? "continue processing" : "ignore");
55  
56 +        if (msg_len == 0) /* infinite loop protection */
57 +            break;
58 +
59          msg_tptr=tptr+sizeof(struct ldp_msg_header);
60          msg_tlen=msg_len-sizeof(struct ldp_msg_header)+4; /* Type & Length fields not included */
61  
62 diff --exclude='*~' -Naur tcpdump-3.8.3.orig/print-rsvp.c tcpdump-3.8.3/print-rsvp.c
63 --- tcpdump-3.8.3.orig/print-rsvp.c     2005-05-06 17:41:55.000000000 -0300
64 +++ tcpdump-3.8.3/print-rsvp.c  2005-05-06 17:51:12.000000000 -0300
65 @@ -875,10 +875,17 @@
66              switch(rsvp_obj_ctype) {
67              case RSVP_CTYPE_IPV4:
68                  while(obj_tlen >= 4 ) {
69 -                    printf("\n\t    Subobject Type: %s",
70 +                    printf("\n\t    Subobject Type: %s, length %u",
71                             tok2str(rsvp_obj_xro_values,
72                                     "Unknown %u",
73 -                                   RSVP_OBJ_XRO_MASK_SUBOBJ(*obj_tptr)));                
74 +                                   RSVP_OBJ_XRO_MASK_SUBOBJ(*obj_tptr)),
75 +                           *(obj_tptr+1));                
76 +
77 +                    if (*(obj_tptr+1) == 0) { /* prevent infinite loops */
78 +                        printf("\n\t      ERROR: zero length ERO subtype");
79 +                        break;
80 +                    }
81 +
82                      switch(RSVP_OBJ_XRO_MASK_SUBOBJ(*obj_tptr)) {
83                      case RSVP_OBJ_XRO_IPV4:
84                          printf(", %s, %s/%u, Flags: [%s]",
85 @@ -921,8 +928,8 @@
86                  if (obj_tlen < 8)
87                      return;
88                  printf("\n\t    Restart  Time: %ums, Recovery Time: %ums",
89 -                       EXTRACT_16BITS(obj_tptr),
90 -                       EXTRACT_16BITS(obj_tptr+4));
91 +                       EXTRACT_32BITS(obj_tptr),
92 +                       EXTRACT_32BITS(obj_tptr+4));
93                  obj_tlen-=8;
94                  obj_tptr+=8;
95                  break;
dumps packets that are sent or received over a network interface
This page took 0.061907 seconds and 3 git commands to generate.