]> The Tcpdump Group git mirrors - tcpdump/commitdiff
projects / tcpdump / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 9845aa1)
CVE-2016-7936/Add a bounds check.
authorGuy Harris <[email protected]>
Sat, 4 Jul 2015 00:32:38 +0000 (17:32 -0700)
committerFrancois-Xavier Le Bail <[email protected]>
Wed, 18 Jan 2017 08:16:36 +0000 (09:16 +0100)
Fixes a heap overflow found with American Fuzzy Lop by Hanno Böck.

print-udp.c patch | blob | history
tests/TESTLIST patch | blob | history
tests/udp-length-heapoverflow.out [new file with mode: 0644] patch | blob
tests/udp-length-heapoverflow.pcap [new file with mode: 0644] patch | blob

diff --git a/print-udp.c b/print-udp.c
index 4b5cd7c25055e9a51826853487714c0bd3ba7da1..768f4bed3104dc454240ca947a75dde0b6329caf 100644 (file)
--- a/print-udp.c
+++ b/print-udp.c
@@ -365,6 +365,11 @@ udp_print(netdissect_options *ndo, register const u_char *bp, u_int length,
        sport = EXTRACT_16BITS(&up->uh_sport);
        dport = EXTRACT_16BITS(&up->uh_dport);
 
+       if (!ND_TTEST(up->uh_ulen)) {
+               udpipaddr_print(ndo, ip, sport, dport);
+               ND_PRINT((ndo, "[|udp]"));
+               return;
+       }
        if (length < sizeof(struct udphdr)) {
                udpipaddr_print(ndo, ip, sport, dport);
                ND_PRINT((ndo, "truncated-udp %d", length));
diff --git a/tests/TESTLIST b/tests/TESTLIST
index 6e4219e8cc2949ba2bf1d28931aa5e4339ded64d..0442e23013b2be2f502047ac2dae04ecf43c23fc 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -388,3 +388,4 @@ atm-oam-heapoverflow        atm-oam-heapoverflow.pcap       atm-oam-heapoverflow.out        -t -v -n
 tcp_header_heapoverflow        tcp_header_heapoverflow.pcap    tcp_header_heapoverflow.out     -t -v -n
 ipcomp-heapoverflow    ipcomp-heapoverflow.pcap        ipcomp-heapoverflow.out -t -v -n
 llc-xid-heapoverflow   llc-xid-heapoverflow.pcap       llc-xid-heapoverflow.out        -t -v -n
+udp-length-heapoverflow        udp-length-heapoverflow.pcap    udp-length-heapoverflow.out     -t -v -n
diff --git a/tests/udp-length-heapoverflow.out b/tests/udp-length-heapoverflow.out
new file mode 100644 (file)
index 0000000..16dbdc9
--- /dev/null
+++ b/tests/udp-length-heapoverflow.out
@@ -0,0 +1,2 @@
+IP (tos 0x30, ttl 48, id 12336, offset 0, flags [none], proto UDP (17), length 12336, bad cksum 3030 (->699d)!)
+    48.48.48.48.12336 > 48.48.48.48.12336: [|udp]
diff --git a/tests/udp-length-heapoverflow.pcap b/tests/udp-length-heapoverflow.pcap
new file mode 100644 (file)
index 0000000..5d4be38
Binary files /dev/null and b/tests/udp-length-heapoverflow.pcap differ
[mirror] the TCPdump network dissector