diff options
author | simon <simon@FreeBSD.org> | 2005-06-20 16:12:35 +0800 |
---|---|---|
committer | simon <simon@FreeBSD.org> | 2005-06-20 16:12:35 +0800 |
commit | c3225ebac48bebaa9747a87f9c05b99287972bd2 (patch) | |
tree | 7ae22e11f92e0076af68cb267a668269016b8176 | |
parent | 6e068bb85ba8b2262b54d7af2650f6d4b7a6a75c (diff) | |
download | freebsd-ports-gnome-c3225ebac48bebaa9747a87f9c05b99287972bd2.tar.gz freebsd-ports-gnome-c3225ebac48bebaa9747a87f9c05b99287972bd2.tar.zst freebsd-ports-gnome-c3225ebac48bebaa9747a87f9c05b99287972bd2.zip |
Fix infinite loop DoS vulnerabilities.
Security: FreeBSD-SA-05:10.tcpdump
Security: http://vuxml.FreeBSD.org/9fae0f1f-df82-11d9-b875-0001020eed82.html
Security: CAN-2005-1267, CAN-2005-1278, CAN-2005-1279, CAN-2005-1280
Approved by: bms (maintainer)
-rw-r--r-- | net/tcpdump/Makefile | 2 | ||||
-rw-r--r-- | net/tcpdump/files/patch-infinite-loop-dos | 99 |
2 files changed, 100 insertions, 1 deletions
diff --git a/net/tcpdump/Makefile b/net/tcpdump/Makefile index bc4b2dee40b9..23823ad0f7e5 100644 --- a/net/tcpdump/Makefile +++ b/net/tcpdump/Makefile @@ -7,7 +7,7 @@ PORTNAME= tcpdump PORTVERSION= 3.8.3 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= net MASTER_SITES= http://www.tcpdump.org/release/ DISTNAME= ${PORTNAME}-${PORTVERSION} diff --git a/net/tcpdump/files/patch-infinite-loop-dos b/net/tcpdump/files/patch-infinite-loop-dos new file mode 100644 index 000000000000..ad0372cdcd8e --- /dev/null +++ b/net/tcpdump/files/patch-infinite-loop-dos @@ -0,0 +1,99 @@ +Index: print-bgp.c +=================================================================== +RCS file: /home/ncvs/src/print-bgp.c,v +retrieving revision 1.1.1.5 +diff -u -d -r1.1.1.5 print-bgp.c +--- print-bgp.c 31 Mar 2004 09:16:43 -0000 1.1.1.5 ++++ print-bgp.c 30 May 2005 21:03:44 -0000 +@@ -1216,6 +1216,8 @@ + tptr = pptr + len; + break; + } ++ if (advance < 0) /* infinite loop protection */ ++ break; + tptr += advance; + } + break; +@@ -1646,9 +1648,10 @@ + while (dat + length > p) { + char buf[MAXHOSTNAMELEN + 100]; + i = decode_prefix4(p, buf, sizeof(buf)); +- if (i == -1) ++ if (i == -1) { + printf("\n\t (illegal prefix length)"); +- else if (i == -2) ++ break; ++ } else if (i == -2) + goto trunc; + else { + printf("\n\t %s", buf); +Index: print-isoclns.c +=================================================================== +RCS file: /home/ncvs/src/print-isoclns.c,v +retrieving revision 1.12 +diff -u -d -r1.12 print-isoclns.c +--- print-isoclns.c 31 Mar 2004 14:57:24 -0000 1.12 ++++ print-isoclns.c 22 May 2005 21:49:06 -0000 +@@ -1508,6 +1508,9 @@ + tlv_type, + tlv_len); + ++ if (tlv_len == 0) /* something is malformed */ ++ break; ++ + /* now check if we have a decoder otherwise do a hexdump at the end*/ + switch (tlv_type) { + case TLV_AREA_ADDR: +@@ -1538,7 +1541,7 @@ + break; + + case TLV_ISNEIGH_VARLEN: +- if (!TTEST2(*tptr, 1)) ++ if (!TTEST2(*tptr, 1) || tmp < 3) /* min. TLV length */ + goto trunctlv; + lan_alen = *tptr++; /* LAN adress length */ + tmp --; +Index: print-ldp.c +=================================================================== +RCS file: /home/ncvs/src/print-ldp.c,v +retrieving revision 1.1.1.1 +diff -u -d -r1.1.1.1 print-ldp.c +--- print-ldp.c 31 Mar 2004 09:16:56 -0000 1.1.1.1 ++++ print-ldp.c 30 May 2005 21:11:28 -0000 +@@ -326,6 +326,9 @@ + EXTRACT_32BITS(&ldp_msg_header->id), + LDP_MASK_U_BIT(EXTRACT_16BITS(&ldp_msg_header->type)) ? "continue processing" : "ignore"); + ++ if (msg_len == 0) /* infinite loop protection */ ++ break; ++ + msg_tptr=tptr+sizeof(struct ldp_msg_header); + msg_tlen=msg_len-sizeof(struct ldp_msg_header)+4; /* Type & Length fields not included */ + +Index: print-rsvp.c +=================================================================== +RCS file: /home/ncvs/src/print-rsvp.c,v +retrieving revision 1.1.1.1 +diff -u -d -r1.1.1.1 print-rsvp.c +--- print-rsvp.c 31 Mar 2004 09:17:07 -0000 1.1.1.1 ++++ print-rsvp.c 21 May 2005 20:13:29 -0000 +@@ -875,10 +875,17 @@ + switch(rsvp_obj_ctype) { + case RSVP_CTYPE_IPV4: + while(obj_tlen >= 4 ) { +- printf("\n\t Subobject Type: %s", ++ printf("\n\t Subobject Type: %s, length %u", + tok2str(rsvp_obj_xro_values, + "Unknown %u", +- RSVP_OBJ_XRO_MASK_SUBOBJ(*obj_tptr))); ++ RSVP_OBJ_XRO_MASK_SUBOBJ(*obj_tptr)), ++ *(obj_tptr+1)); ++ ++ if (*(obj_tptr+1) == 0) { /* prevent infinite loops */ ++ printf("\n\t ERROR: zero length ERO subtype"); ++ break; ++ } ++ + switch(RSVP_OBJ_XRO_MASK_SUBOBJ(*obj_tptr)) { + case RSVP_OBJ_XRO_IPV4: + printf(", %s, %s/%u, Flags: [%s]", |