]> The Tcpdump Group git mirrors - tcpdump/commitdiff
projects / tcpdump / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d750527)
(for 4.9.3) CVE-2018-14879/fix -V to fail invalid input safely
authorDenis Ovsienko <[email protected]>
Sun, 17 Jun 2018 21:15:19 +0000 (22:15 +0100)
committerFrancois-Xavier Le Bail <[email protected]>
Tue, 27 Aug 2019 09:20:42 +0000 (11:20 +0200)
get_next_file() did not check the return value of strlen() and
underflowed an array index if the line read by fgets() from the file
started with \0. This caused an out-of-bounds read and could cause a
write. Add the missing check.

This vulnerability was discovered by Brian Carpenter & Geeknik Labs.

tcpdump.c patch | blob | history

diff --git a/tcpdump.c b/tcpdump.c
index 128e41ed9c6db9eb50293b8f868e63d2ef89cfba..043bda1d7aca523ac17d555e5bcd1e09a676adfe 100644 (file)
--- a/tcpdump.c
+++ b/tcpdump.c
@@ -699,13 +699,15 @@ static char *
 get_next_file(FILE *VFile, char *ptr)
 {
        char *ret;
 get_next_file(FILE *VFile, char *ptr)
 {
        char *ret;
+       size_t len;
 
        ret = fgets(ptr, PATH_MAX, VFile);
        if (!ret)
                return NULL;
 
 
        ret = fgets(ptr, PATH_MAX, VFile);
        if (!ret)
                return NULL;
 
-       if (ptr[strlen(ptr) - 1] == '\n')
-               ptr[strlen(ptr) - 1] = '\0';
+       len = strlen (ptr);
+       if (len > 0 && ptr[len - 1] == '\n')
+               ptr[len - 1] = '\0';
 
        return ret;
 }
 
        return ret;
 }
[mirror] the TCPdump network dissector