Fix -V to fail invalid input safely

This change fixes CVE-2018-14879.

get_next_file() did not check the return value of strlen() and
underflowed an array index if the line read by fgets() from the file
started with \0. This caused an out-of-bounds read and could cause a
write. Add the missing check.

This vulnerability was discovered by Brian Carpenter & Geeknik Labs.

Cherry picked from 9ba91381954ad325ea4fd26b9c65a8bd9a2a85b6
in 4.9 branch.

diff --git a/tcpdump.c b/tcpdump.c
index a9c2b7dcd930ed690416bfce0723352ee2c85c67..bf4f2ef5057e81167b98713817360e55ce819ca5 100644 (file)
--- a/tcpdump.c
+++ b/tcpdump.c
@@ -854,13 +854,15 @@ static char *
 get_next_file(FILE *VFile, char *ptr)
 {
        char *ret;
 get_next_file(FILE *VFile, char *ptr)
 {
        char *ret;

+       size_t len;

 
        ret = fgets(ptr, PATH_MAX, VFile);
        if (!ret)
                return NULL;
 
 
        ret = fgets(ptr, PATH_MAX, VFile);
        if (!ret)
                return NULL;
 

-       if (ptr[strlen(ptr) - 1] == '\n')
-               ptr[strlen(ptr) - 1] = '\0';
+       len = strlen (ptr);
+       if (len > 0 && ptr[len - 1] == '\n')
+               ptr[len - 1] = '\0';

 
        return ret;
 }
 
        return ret;
 }