tcpdump-CVE-2007-3798.patch

   1 ===================================================================
   2 RCS file: /tcpdump/master/tcpdump/print-bgp.c,v
   3 retrieving revision 1.91.2.11
   4 retrieving revision 1.91.2.12
   5 diff -u -r1.91.2.11 -r1.91.2.12
   6 --- tcpdump/print-bgp.c 2007/02/26 13:31:33     1.91.2.11
   7 +++ tcpdump/print-bgp.c 2007/07/14 22:26:35     1.91.2.12
   8 @@ -609,6 +609,26 @@
   9         return -2;
  10  }
  11
  12 +/*
  13 + * As I remember, some versions of systems have an snprintf() that
  14 + * returns -1 if the buffer would have overflowed.  If the return
  15 + * value is negative, set buflen to 0, to indicate that we've filled
  16 + * the buffer up.
  17 + *
  18 + * If the return value is greater than buflen, that means that
  19 + * the buffer would have overflowed; again, set buflen to 0 in
  20 + * that case.
  21 + */
  22 +#define UPDATE_BUF_BUFLEN(buf, buflen, strlen) \
  23 +    if (strlen<0) \
  24 +               buflen=0; \
  25 +    else if ((u_int)strlen>buflen) \
  26 +        buflen=0; \
  27 +    else { \
  28 +        buflen-=strlen; \
  29 +       buf+=strlen; \
  30 +    }
  31 +
  32  static int
  33  decode_labeled_vpn_l2(const u_char *pptr, char *buf, u_int buflen)
  34  {
  35 @@ -619,11 +639,13 @@
  36          tlen=plen;
  37          pptr+=2;
  38         TCHECK2(pptr[0],15);
  39 +       buf[0]='\0';
  40          strlen=snprintf(buf, buflen, "RD: %s, CE-ID: %u, Label-Block Offset: %u, Label Base %u",
  41                          bgp_vpn_rd_print(pptr),
  42                          EXTRACT_16BITS(pptr+8),
  43                          EXTRACT_16BITS(pptr+10),
  44                          EXTRACT_24BITS(pptr+12)>>4); /* the label is offsetted by 4 bits so lets shift it right */
  45 +        UPDATE_BUF_BUFLEN(buf, buflen, strlen);
  46          pptr+=15;
  47          tlen-=15;
  48
  49 @@ -639,23 +661,32 @@
  50
  51              switch(tlv_type) {
  52              case 1:
  53 -                strlen+=snprintf(buf+strlen,buflen-strlen, "\n\t\tcircuit status vector (%u) length: %u: 0x",
  54 -                                 tlv_type,
  55 -                                 tlv_len);
  56 +                if (buflen!=0) {
  57 +                    strlen=snprintf(buf,buflen, "\n\t\tcircuit status vector (%u) length: %u: 0x",
  58 +                                    tlv_type,
  59 +                                    tlv_len);
  60 +                    UPDATE_BUF_BUFLEN(buf, buflen, strlen);
  61 +                }
  62                  ttlv_len=ttlv_len/8+1; /* how many bytes do we need to read ? */
  63                  while (ttlv_len>0) {
  64                      TCHECK(pptr[0]);
  65 -                    strlen+=snprintf(buf+strlen,buflen-strlen, "%02x",*pptr++);
  66 +                    if (buflen!=0) {
  67 +                        strlen=snprintf(buf,buflen, "%02x",*pptr++);
  68 +                        UPDATE_BUF_BUFLEN(buf, buflen, strlen);
  69 +                    }
  70                      ttlv_len--;
  71                  }
  72                  break;
  73              default:
  74 -                snprintf(buf+strlen,buflen-strlen, "\n\t\tunknown TLV #%u, length: %u",
  75 -                         tlv_type,
  76 -                         tlv_len);
  77 +                if (buflen!=0) {
  78 +                    strlen=snprintf(buf,buflen, "\n\t\tunknown TLV #%u, length: %u",
  79 +                                    tlv_type,
  80 +                                    tlv_len);
  81 +                    UPDATE_BUF_BUFLEN(buf, buflen, strlen);
  82 +                }
  83                  break;
  84              }
  85 -            tlen-=(tlv_len<<3); /* the tlv-length is expressed in bits so lets shift it tright */
  86 +            tlen-=(tlv_len<<3); /* the tlv-length is expressed in bits so lets shift it right */
  87          }
  88          return plen+2;
  89