diff options
author | Francois-Xavier Le Bail <devel.fx.lebail@orange.fr> | 2017-03-22 17:07:47 +0100 |
---|---|---|
committer | Denis Ovsienko <denis@ovsienko.info> | 2017-09-13 12:25:44 +0100 |
commit | 5338aac7b8b880b0c5e0c15e27dadc44c5559284 (patch) | |
tree | 628002c5e06b40533dcc8839c5e957960d6926aa /print-mobility.c | |
parent | 7d3aba9f06899d0128ef46e8a2fa143c6fad8f62 (diff) | |
download | tcpdump-5338aac7b8b880b0c5e0c15e27dadc44c5559284.tar.gz |
CVE-2017-13025/IPv6 mobility: Add a bounds check before fetching data
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.
Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't cause 'tcpdump: pcap_loop: truncated dump file'
Diffstat (limited to 'print-mobility.c')
-rw-r--r-- | print-mobility.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/print-mobility.c b/print-mobility.c index 21a0fbad..44c9a77f 100644 --- a/print-mobility.c +++ b/print-mobility.c @@ -159,6 +159,7 @@ mobility_opt_print(netdissect_options *ndo, ND_PRINT((ndo, "(altcoa: trunc)")); goto trunc; } + ND_TCHECK_128BITS(&bp[i+2]); ND_PRINT((ndo, "(alt-CoA: %s)", ip6addr_string(ndo, &bp[i+2]))); break; case IP6MOPT_NONCEID: |