aboutsummaryrefslogtreecommitdiffstats
path: root/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-16808-AoE-Add-a-missing-bounds-check.patch
blob: 919f2b009c5539763a05496029f0a7f5cf7f152d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
From c45443a0d3e16b92622bea6b589e5930e8f0d815 Mon Sep 17 00:00:00 2001
From: Peiran Hong <peiran.hong@windriver.com>
Date: Fri, 13 Sep 2019 17:02:57 -0400
Subject: [PATCH] CVE-2017-16808/AoE: Add a missing bounds check.

---
 netdissect.h | 12 ++++++++++++
 print-aoe.c  |  1 +
 2 files changed, 13 insertions(+)

diff --git a/netdissect.h b/netdissect.h
index 089b0406..cd05fdb9 100644
--- a/netdissect.h
+++ b/netdissect.h
@@ -69,6 +69,11 @@ typedef struct {
 typedef unsigned char nd_uint8_t;
 typedef signed char nd_int8_t;
 
+/*
+ * Use this for MAC addresses.
+ */
+#define MAC_ADDR_LEN    6               /* length of MAC addresses */
+
 /* snprintf et al */
 
 #include <stdarg.h>
@@ -309,12 +314,19 @@ struct netdissect_options {
 	((uintptr_t)ndo->ndo_snapend - (l) <= (uintptr_t)ndo->ndo_snapend && \
          (uintptr_t)&(var) <= (uintptr_t)ndo->ndo_snapend - (l)))
 
+#define ND_TTEST_LEN(p, l) \
+  (IS_NOT_NEGATIVE(l) && \
+        ((uintptr_t)ndo->ndo_snapend - (l) <= (uintptr_t)ndo->ndo_snapend && \
+         (uintptr_t)(p) <= (uintptr_t)ndo->ndo_snapend - (l)))
+
 /* True if "var" was captured */
 #define ND_TTEST(var) ND_TTEST2(var, sizeof(var))
 
 /* Bail if "l" bytes of "var" were not captured */
 #define ND_TCHECK2(var, l) if (!ND_TTEST2(var, l)) goto trunc
 
+#define ND_TCHECK_LEN(p, l) if (!ND_TTEST_LEN(p, l)) goto trunc
+
 /* Bail if "var" was not captured */
 #define ND_TCHECK(var) ND_TCHECK2(var, sizeof(var))
 
diff --git a/print-aoe.c b/print-aoe.c
index 97e93df2..ac097a04 100644
--- a/print-aoe.c
+++ b/print-aoe.c
@@ -325,6 +325,7 @@ aoev1_reserve_print(netdissect_options *ndo,
 		goto invalid;
 	/* addresses */
 	for (i = 0; i < nmacs; i++) {
+		ND_TCHECK_LEN(cp, MAC_ADDR_LEN);
 		ND_PRINT((ndo, "\n\tEthernet Address %u: %s", i, etheraddr_string(ndo, cp)));
 		cp += ETHER_ADDR_LEN;
 	}
-- 
2.21.0