]> The Tcpdump Group git mirrors - tcpdump/commit
projects / tcpdump / commit
summary | shortlog | log | commit | commitdiff | tree
(parent: 05a303c) | patch
(for 4.9.3) CVE-2018-14468/FRF.16: Add a missing length check.
authorDenis Ovsienko <[email protected]>
Fri, 1 Sep 2017 16:55:39 +0000 (17:55 +0100)
committerFrancois-Xavier Le Bail <[email protected]>
Sun, 18 Aug 2019 18:35:51 +0000 (20:35 +0200)
commitaa3e54f594385ce7e1e319b0c84999e51192578b
treee746cac6d890362063a1680404436b16e93a194btree
parent05a303c84c1cb4880eef1a4430df357526c79000commit | diff
(for 4.9.3) CVE-2018-14468/FRF.16: Add a missing length check.

The specification says in a well-formed Magic Number information element
the data is exactly 4 bytes long. In mfr_print() check this before trying
to read those 4 bytes.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s).
print-fr.c diff | blob | history
tests/TESTLIST diff | blob | history
tests/frf16_magic_ie-oobr.out [new file with mode: 0644] blob
tests/frf16_magic_ie-oobr.pcap [new file with mode: 0644] blob
[mirror] the TCPdump network dissector