]> The Tcpdump Group git mirrors - tcpdump/commit
projects / tcpdump / commit
summary | shortlog | log | commit | commitdiff | tree
(parent: 409ffe9) | patch
CVE-2017-5342/pass correct caplen value to ether_print()
authorDenis Ovsienko <[email protected]>
Tue, 10 Jan 2017 14:12:14 +0000 (14:12 +0000)
committerFrancois-Xavier Le Bail <[email protected]>
Wed, 18 Jan 2017 08:16:41 +0000 (09:16 +0100)
commit0db4dcafe5ae38201d3869c96a96cb714d82ff35
tree76b386608be938d6b041175122ec9778f8166d86tree
parent409ffe94529df3d8bb8258bf99586f821756cb29commit | diff
CVE-2017-5342/pass correct caplen value to ether_print()

In that function the "length" parameter means off-the-wire length, that
is, the length declared inside the outer header. The "caplen" parameter
means the amount of bytes actually available in the captured packet.

gre_print_0() and the functions modelled after it passed the value of
"length" instead of the value of "caplen", this could make ether_print()
access beyond the memory allocated for the captured packet. Brian
Carpenter had demonstrated this for the OTV case.

Fix the involved functions that call ether_print() to pass the correct
value and leave a comment to dismiss "caplen" later as its value can be
reliably derived from the other ether_print() parameters.
print-ether.c diff | blob | history
print-geneve.c diff | blob | history
print-gre.c diff | blob | history
print-nsh.c diff | blob | history
print-otv.c diff | blob | history
print-vxlan-gpe.c diff | blob | history
print-vxlan.c diff | blob | history
tests/TESTLIST diff | blob | history
tests/otv-heapoverflow-2.out [new file with mode: 0644] blob
tests/otv-heapoverflow-2.pcap [new file with mode: 0644] blob
[mirror] the TCPdump network dissector