]> The Tcpdump Group git mirrors - tcpdump/commit
(for 4.9.3) CVE-2018-16228/HNCP: make buffer access safer
authorDenis Ovsienko <[email protected]>
Thu, 23 Aug 2018 22:32:07 +0000 (23:32 +0100)
committerFrancois-Xavier Le Bail <[email protected]>
Tue, 27 Aug 2019 09:20:42 +0000 (11:20 +0200)
commit83a412a5275cac973c5841eca3511c766bed778d
tree232011ef1abf9de36b3c544363dc0cb5a72ae267
parent13d52e9c0e7caf7e6325b0051bc90a49968be67f
(for 4.9.3) CVE-2018-16228/HNCP: make buffer access safer

print_prefix() has a buffer and does not initialize it. It may call
decode_prefix6(), which also does not initialize the buffer on invalid
input. When that happens, make sure to return from print_prefix() before
trying to print the [still uninitialized] buffer.

This fixes a buffer over-read discovered by Wang Junjie of 360 ESG
Codesafe Team.

Add a test using the capture file supplied by the reporter(s).
print-hncp.c
tests/TESTLIST
tests/hncp_prefix-oobr.out [new file with mode: 0644]
tests/hncp_prefix-oobr.pcapng [new file with mode: 0644]