48 lines
1.4 KiB
Diff
48 lines
1.4 KiB
Diff
|
Fix CVE-2017-11541
|
||
|
|
||
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11541
|
||
|
|
||
|
Patch copied from upstream source repository:
|
||
|
|
||
|
https://github.com/the-tcpdump-group/tcpdump/commit/21d702a136c5c16882e368af7c173df728242280
|
||
|
|
||
|
From 21d702a136c5c16882e368af7c173df728242280 Mon Sep 17 00:00:00 2001
|
||
|
From: Guy Harris <guy@alum.mit.edu>
|
||
|
Date: Tue, 7 Feb 2017 11:40:36 -0800
|
||
|
Subject: [PATCH] CVE-2017-11541: In safeputs(), check the length before
|
||
|
checking for a NUL terminator.
|
||
|
|
||
|
safeputs() doesn't do packet bounds checking of its own; it assumes that
|
||
|
the caller has checked the availability in the packet data of all maxlen
|
||
|
bytes of data. This means we should check that we're within the
|
||
|
specified limit before looking at the byte.
|
||
|
|
||
|
This fixes a buffer over-read discovered by Kamil Frankowicz.
|
||
|
|
||
|
Add a test using the capture file supplied by the reporter(s).
|
||
|
---
|
||
|
tests/TESTLIST | 1 +
|
||
|
tests/hoobr_safeputs.out | 2 ++
|
||
|
tests/hoobr_safeputs.pcap | Bin 0 -> 88 bytes
|
||
|
util-print.c | 2 +-
|
||
|
4 files changed, 4 insertions(+), 1 deletion(-)
|
||
|
create mode 100644 tests/hoobr_safeputs.out
|
||
|
create mode 100644 tests/hoobr_safeputs.pcap
|
||
|
|
||
|
diff --git a/util-print.c b/util-print.c
|
||
|
index 394e7d59..ec3e8de8 100644
|
||
|
--- a/util-print.c
|
||
|
+++ b/util-print.c
|
||
|
@@ -904,7 +904,7 @@ safeputs(netdissect_options *ndo,
|
||
|
{
|
||
|
u_int idx = 0;
|
||
|
|
||
|
- while (*s && idx < maxlen) {
|
||
|
+ while (idx < maxlen && *s) {
|
||
|
safeputchar(ndo, *s);
|
||
|
idx++;
|
||
|
s++;
|
||
|
--
|
||
|
2.14.1
|
||
|
|