Репозитории ALT
S: | 4.99.4-alt1 |
5.1: | 3.9.8-alt1 |
4.1: | 3.9.7-alt1 |
4.0: | 3.9.7-alt1 |
+updates: | 3.9.7-alt1 |
3.0: | 3.8.2-alt3 |
Группа :: Мониторинг
Пакет: tcpdump
Главная Изменения Спек Патчи Sources Загрузить Gear Bugs and FR Repocop
Патч: tcpdump-3.8.2-cvs-20050427-fixes.patch
Скачать
Скачать
## DP: Security fixes from upstream CVS.
--- tcpdump-3.8.3/print-bgp.c 2004-03-24 01:04:04 +0100
+++ tcpdump-3.8.3/print-bgp.c 2005-04-27 21:07:21 +0200
@@ -1216,6 +1216,8 @@
tptr = pptr + len;
break;
}
+ if (advance < 0) /* infinite loop protection */
+ break;
tptr += advance;
}
break;
--- tcpdump-3.8.3/print-isoclns.c 2004-03-24 02:45:26 +0100
+++ tcpdump-3.8.3/print-isoclns.c 2005-04-27 21:07:21 +0200
@@ -1250,11 +1250,11 @@
break;
case ISIS_PDU_L1_CSNP:
case ISIS_PDU_L2_CSNP:
- printf(", src-id %s", isis_print_id(header_csnp->source_id,SYSTEM_ID_LEN));
+ printf(", src-id %s", isis_print_id(header_csnp->source_id,NODE_ID_LEN));
break;
case ISIS_PDU_L1_PSNP:
case ISIS_PDU_L2_PSNP:
- printf(", src-id %s", isis_print_id(header_psnp->source_id,SYSTEM_ID_LEN));
+ printf(", src-id %s", isis_print_id(header_psnp->source_id,NODE_ID_LEN));
break;
}
@@ -1506,6 +1506,9 @@
tlv_type,
tlv_len);
+ if (tlv_len == 0) /* something is malformed */
+ break;
+
/* now check if we have a decoder otherwise do a hexdump at the end*/
switch (tlv_type) {
case TLV_AREA_ADDR:
@@ -1536,7 +1539,7 @@
break;
case ISIS_TLV_ISNEIGH_VARLEN:
- if (!TTEST2(*tptr, 1))
+ if (!TTEST2(*tptr, 1) || tmp < 3) /* min. TLV length */
goto trunctlv;
lan_alen = *tptr++; /* LAN adress length */
tmp --;
--- tcpdump-3.8.3/print-ldp.c 2003-11-16 09:51:31 +0100
+++ tcpdump-3.8.3/print-ldp.c 2005-04-27 21:07:21 +0200
@@ -326,6 +326,9 @@
EXTRACT_32BITS(&ldp_msg_header->id),
LDP_MASK_U_BIT(EXTRACT_16BITS(&ldp_msg_header->type)) ? "continue processing" : "ignore");
+ if (msg_len == 0) /* infinite loop protection */
+ break;
+
msg_tptr=tptr+sizeof(struct ldp_msg_header);
msg_tlen=msg_len-sizeof(struct ldp_msg_header)+4; /* Type & Length fields not included */
--- tcpdump-3.8.3/print-rsvp.c 2004-03-24 05:01:08 +0100
+++ tcpdump-3.8.3/print-rsvp.c 2005-04-27 21:07:21 +0200
@@ -875,10 +875,17 @@
switch(rsvp_obj_ctype) {
case RSVP_CTYPE_IPV4:
while(obj_tlen >= 4 ) {
- printf("\n\t Subobject Type: %s",
+ printf("\n\t Subobject Type: %s, length %u",
tok2str(rsvp_obj_xro_values,
"Unknown %u",
- RSVP_OBJ_XRO_MASK_SUBOBJ(*obj_tptr)));
+ RSVP_OBJ_XRO_MASK_SUBOBJ(*obj_tptr)),
+ *(obj_tptr+1));
+
+ if (*(obj_tptr+1) == 0) { /* prevent infinite loops */
+ printf("\n\t ERROR: zero length ERO subtype");
+ break;
+ }
+
switch(RSVP_OBJ_XRO_MASK_SUBOBJ(*obj_tptr)) {
case RSVP_OBJ_XRO_IPV4:
printf(", %s, %s/%u, Flags: [%s]",
@@ -921,8 +928,8 @@
if (obj_tlen < 8)
return;
printf("\n\t Restart Time: %ums, Recovery Time: %ums",
- EXTRACT_16BITS(obj_tptr),
- EXTRACT_16BITS(obj_tptr+4));
+ EXTRACT_32BITS(obj_tptr),
+ EXTRACT_32BITS(obj_tptr+4));
obj_tlen-=8;
obj_tptr+=8;
break;