]> The Tcpdump Group git mirrors - tcpdump/commitdiff
projects / tcpdump / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: df259ca)
CVE-2016-7975/Fix a bounds check.
authorGuy Harris <[email protected]>
Fri, 3 Jul 2015 19:37:37 +0000 (12:37 -0700)
committerFrancois-Xavier Le Bail <[email protected]>
Wed, 18 Jan 2017 08:16:35 +0000 (09:16 +0100)
Fixes a heap overflow found with American Fuzzy Lop by Hanno Böck.

print-tcp.c patch | blob | history
tests/TESTLIST patch | blob | history
tests/heapoverflow-tcp_print.out [new file with mode: 0644] patch | blob
tests/heapoverflow-tcp_print.pcap [new file with mode: 0644] patch | blob

diff --git a/print-tcp.c b/print-tcp.c
index 7a04a6ff70b1081a65b95d3ec4b77733fe5e0478..a1c1dde7575f715a1da0258d335874ba42172a4e 100644 (file)
--- a/print-tcp.c
+++ b/print-tcp.c
@@ -609,7 +609,7 @@ tcp_print(netdissect_options *ndo,
                                 if (datalen)
                                         ND_PRINT((ndo, " 0x"));
                                 for (i = 0; i < datalen; ++i) {
-                                        LENCHECK(i);
+                                        LENCHECK(i + 1);
                                         ND_PRINT((ndo, "%02x", cp[i]));
                                 }
                                 break;
diff --git a/tests/TESTLIST b/tests/TESTLIST
index 170b1df5e66fe7af4d2c9d7c2ae8559aade1b45a..3bab6bb9a013b180b1151c0f4b83c191c1d9961c 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -376,3 +376,4 @@ heapoverflow-ppp_hdlc_if_print      heapoverflow-ppp_hdlc_if_print.pcap     heapoverflow-
 heapoverflow-sl_if_print       heapoverflow-sl_if_print.pcap   heapoverflow-sl_if_print.out    -t -v -n
 heapoverflow-ip_print_demux    heapoverflow-ip_print_demux.pcap        heapoverflow-ip_print_demux.out -t -v -n
 heapoverflow-in_checksum       heapoverflow-in_checksum.pcap   heapoverflow-in_checksum.out    -t -v -n
+heapoverflow-tcp_print heapoverflow-tcp_print.pcap     heapoverflow-tcp_print.out      -t -v -n
diff --git a/tests/heapoverflow-tcp_print.out b/tests/heapoverflow-tcp_print.out
new file mode 100644 (file)
index 0000000..9d31674
--- /dev/null
+++ b/tests/heapoverflow-tcp_print.out
@@ -0,0 +1,2 @@
+IP (tos 0x30, ttl 48, id 12336, offset 0, flags [DF], proto TCP (6), length 12336, bad cksum 3030 (->29a8)!)
+    48.48.48.48.12336 > 48.48.48.48.12336: Flags [.U], seq 808464432:808476688, ack 808464432, win 12336, urg 12336, options [unknown-48 0x3030303030303030[|tcp]
diff --git a/tests/heapoverflow-tcp_print.pcap b/tests/heapoverflow-tcp_print.pcap
new file mode 100644 (file)
index 0000000..c8b43fd
Binary files /dev/null and b/tests/heapoverflow-tcp_print.pcap differ
[mirror] the TCPdump network dissector