diff options
author | Denis Ovsienko <denis@ovsienko.info> | 2017-01-10 14:12:14 +0000 |
---|---|---|
committer | Francois-Xavier Le Bail <fx.lebail@yahoo.com> | 2017-01-18 09:16:41 +0100 |
commit | 0db4dcafe5ae38201d3869c96a96cb714d82ff35 (patch) | |
tree | 76b386608be938d6b041175122ec9778f8166d86 /print-fr.c | |
parent | 409ffe94529df3d8bb8258bf99586f821756cb29 (diff) | |
download | tcpdump-0db4dcafe5ae38201d3869c96a96cb714d82ff35.tar.gz |
CVE-2017-5342/pass correct caplen value to ether_print()
In that function the "length" parameter means off-the-wire length, that
is, the length declared inside the outer header. The "caplen" parameter
means the amount of bytes actually available in the captured packet.
gre_print_0() and the functions modelled after it passed the value of
"length" instead of the value of "caplen", this could make ether_print()
access beyond the memory allocated for the captured packet. Brian
Carpenter had demonstrated this for the OTV case.
Fix the involved functions that call ether_print() to pass the correct
value and leave a comment to dismiss "caplen" later as its value can be
reliably derived from the other ether_print() parameters.
Diffstat (limited to 'print-fr.c')
0 files changed, 0 insertions, 0 deletions