diff options
| author | Guy Harris <guy@alum.mit.edu> | 2017-03-21 21:49:45 -0700 |
|---|---|---|
| committer | Denis Ovsienko <denis@ovsienko.info> | 2017-09-13 12:25:44 +0100 |
| commit | 4601c685e7fd19c3724d5e499c69b8d3ec49933e (patch) | |
| tree | 4aa5d2c8b12aa0be5a83db8dffd541fce730e2bd /print-vtp.c | |
| parent | 26a6799b9ca80508c05cac7a9a3bef922991520b (diff) | |
| download | tcpdump-4601c685e7fd19c3724d5e499c69b8d3ec49933e.tar.gz | |
CVE-2017-13019: Clean up PGM option processing.
Add #defines for option lengths or the lengths of the fixed-length part
of the option. Sometimes those #defines differ from what was there
before; what was there before was wrong, probably because the option
lengths given in RFC 3208 were sometimes wrong - some lengths included
the length of the option header, some lengths didn't.
Don't use "sizeof(uintXX_t)" for sizes in the packet, just use the
number of bytes directly.
For the options that include an IPv4 or IPv6 address, check the option
length against the length of what precedes the address before fetching
any of that data.
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.
Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
Diffstat (limited to 'print-vtp.c')
0 files changed, 0 insertions, 0 deletions