[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

rpms/tcpdump/devel tcpdump-3.8.2-bgp-dos.patch, NONE, 1.1 tcpdump-3.8.2-isis-dos.patch, NONE, 1.1 tcpdump-3.8.2-ldp-dos.patch, NONE, 1.1 tcpdump-3.8.2-rsvp-dos.patch, NONE, 1.1 tcpdump.spec, 1.34, 1.35



Author: stransky

Update of /cvs/dist/rpms/tcpdump/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv8010

Modified Files:
	tcpdump.spec 
Added Files:
	tcpdump-3.8.2-bgp-dos.patch tcpdump-3.8.2-isis-dos.patch 
	tcpdump-3.8.2-ldp-dos.patch tcpdump-3.8.2-rsvp-dos.patch 
Log Message:
fix for CAN-2005-1280 Multiple DoS issues in tcpdump, (CAN-2005-1279 CAN-2005-1278), #156041

tcpdump-3.8.2-bgp-dos.patch:
 print-bgp.c |    2 +-
 1 files changed, 1 insertion(+), 1 deletion(-)

--- NEW FILE tcpdump-3.8.2-bgp-dos.patch ---
--- tcpdump-3.8.2/print-bgp.c.old	2004-03-24 01:01:00.000000000 +0100
+++ tcpdump-3.8.2/print-bgp.c	2005-04-28 12:47:12.000000000 +0200
@@ -1089,7 +1089,7 @@
 			printf(", no SNPA");
                 }
 
-		while (len - (tptr - pptr) > 0) {
+		while ((tptr - pptr) > 0 &&  len - (tptr - pptr) > 0) {
 			switch (af) {
 			case AFNUM_INET:
                             switch (safi) {

tcpdump-3.8.2-isis-dos.patch:
 print-isoclns.c |   14 ++++++++------
 1 files changed, 8 insertions(+), 6 deletions(-)

--- NEW FILE tcpdump-3.8.2-isis-dos.patch ---
--- tcpdump-3.8.2/print-isoclns.c.old	2005-04-28 12:58:28.000000000 +0200
+++ tcpdump-3.8.2/print-isoclns.c	2005-04-28 13:07:17.000000000 +0200
@@ -1748,12 +1748,14 @@
 	    lan_alen = *tptr++; /* LAN adress length */
             tmp --;
             printf("\n\t      LAN address length %u bytes ",lan_alen);
-	    while (tmp >= lan_alen) {
-                if (!TTEST2(*tptr, lan_alen))
-                    goto trunctlv;
-                printf("\n\t\tIS Neighbor: %s",isis_print_id(tptr,lan_alen));
-                tmp -= lan_alen;
-                tptr +=lan_alen;
+            if(lan_alen >= SYSTEM_ID_LEN) {
+	        while (tmp >= lan_alen) {
+                    if (!TTEST2(*tptr, lan_alen))
+                        goto trunctlv;
+                    printf("\n\t\tIS Neighbor: %s",isis_print_id(tptr,lan_alen));
+                    tmp -= lan_alen;
+                    tptr +=lan_alen;
+                }
             }
             break;
 

tcpdump-3.8.2-ldp-dos.patch:
 print-ascii.c |    3 +++
 print-ldp.c   |   11 ++++++++---
 2 files changed, 11 insertions(+), 3 deletions(-)

--- NEW FILE tcpdump-3.8.2-ldp-dos.patch ---
--- tcpdump-3.8.2/tcpdump-3.8.2/print-ldp.c.t4	2003-11-16 10:36:27.000000000 +0100
+++ tcpdump-3.8.2/tcpdump-3.8.2/print-ldp.c	2005-04-28 14:17:15.000000000 +0200
@@ -327,7 +327,8 @@
                LDP_MASK_U_BIT(EXTRACT_16BITS(&ldp_msg_header->type)) ? "continue processing" : "ignore");
 
         msg_tptr=tptr+sizeof(struct ldp_msg_header);
-        msg_tlen=msg_len-sizeof(struct ldp_msg_header)+4; /* Type & Length fields not included */
+       /* Type & Length fields not included */
+        msg_tlen = (msg_len >= (sizeof(struct ldp_msg_header) + 4)) ? (msg_len - sizeof(struct ldp_msg_header) + 4) : 0;
 
         /* did we capture enough for fully decoding the message ? */
         if (!TTEST2(*tptr, msg_len))
@@ -372,8 +373,12 @@
             print_unknown_data(tptr+sizeof(sizeof(struct ldp_msg_header)),"\n\t  ",
                                msg_len);
 
-        tptr+=msg_len;
-        tlen-=msg_len;
+        if(!msg_len)
+            break;
+        else {
+            tptr+=msg_len;
+            tlen-=msg_len;
+        }
     }
     return;
 trunc:
--- tcpdump-3.8.2/tcpdump-3.8.2/print-ascii.c.t4	2003-12-29 12:05:10.000000000 +0100
+++ tcpdump-3.8.2/tcpdump-3.8.2/print-ascii.c	2005-04-28 14:05:42.000000000 +0200
@@ -142,6 +142,9 @@
 	register int nshorts;
 
 	nshorts = (u_int) length / sizeof(u_short);
+        if(!nshorts)
+          return;
+
 	i = 0;
 	while (--nshorts >= 0) {
 		if ((i++ % 8) == 0) {

tcpdump-3.8.2-rsvp-dos.patch:
 print-rsvp.c |    9 ++++++---
 1 files changed, 6 insertions(+), 3 deletions(-)

--- NEW FILE tcpdump-3.8.2-rsvp-dos.patch ---
--- tcpdump-3.8.2/print-rsvp.c.old	2004-03-24 05:00:38.000000000 +0100
+++ tcpdump-3.8.2/print-rsvp.c	2005-04-27 17:09:34.000000000 +0200
@@ -872,6 +872,8 @@
 
         case RSVP_OBJ_RRO:
         case RSVP_OBJ_ERO:
+            {
+            int step;
             switch(rsvp_obj_ctype) {
             case RSVP_CTYPE_IPV4:
                 while(obj_tlen >= 4 ) {
@@ -889,15 +891,16 @@
                                    "none",
                                    *(obj_tptr+7))); /* rfc3209 says that this field is rsvd. */
                     }
-                    obj_tlen-=*(obj_tptr+1);
-                    obj_tptr+=*(obj_tptr+1);
+                    step = *(obj_tptr+1) ? *(obj_tptr+1) : obj_tlen;
+                    obj_tlen -= step;
+                    obj_tptr += step;
                 }
                 break;
             default:
                 hexdump=TRUE;
             }
             break;
-
+            }
         case RSVP_OBJ_HELLO:
             switch(rsvp_obj_ctype) {
             case RSVP_CTYPE_1:


Index: tcpdump.spec
===================================================================
RCS file: /cvs/dist/rpms/tcpdump/devel/tcpdump.spec,v
retrieving revision 1.34
retrieving revision 1.35
diff -u -r1.34 -r1.35
--- tcpdump.spec	7 Mar 2005 14:15:43 -0000	1.34
+++ tcpdump.spec	28 Apr 2005 12:47:23 -0000	1.35
@@ -2,7 +2,7 @@
 %define PCAP_UID 77
 %define PCAP_GID 77
 
-%define releaseno 11
+%define releaseno 12
 %define arpwatch_release %{releaseno}
 %define pcap_release %{releaseno}
 %define tcpdump_release %{releaseno}
@@ -42,6 +42,10 @@
 Patch16: tcpdump-3.8.1-sctp.patch
 Patch17: tcpdump-3.7.2-sctpdef.patch
 Patch18: tcpdump-3.8.2-gcc34.patch
+Patch19: tcpdump-3.8.2-rsvp-dos.patch
+Patch20: tcpdump-3.8.2-bgp-dos.patch
+Patch21: tcpdump-3.8.2-isis-dos.patch
+Patch22: tcpdump-3.8.2-ldp-dos.patch
 
 Patch34: arpwatch-2.1a4-fhs.patch
 Patch35: arpwatch-2.1a10-man.patch
@@ -131,6 +135,10 @@
 %patch16 -p1 -b .sctp
 %patch17 -p1 -b .sctpdef
 %patch18 -p1 -b .gcc34
+%patch19 -p1 -b .rsvp-dos
+%patch20 -p1 -b .bgp-dos
+%patch21 -p1 -b .isis-dos
+%patch22 -p2 -b .ldp-dos
 tar xzf %{SOURCE6}
 popd
 
@@ -309,6 +317,10 @@
 %{_vararpwatch}/massagevendor-old
 
 %changelog
+* Thu Apr 28 2005 Martin Stransky <stransky redhat com> - 14:3.8.2-12
+- fix for CAN-2005-1280 Multiple DoS issues in tcpdump 
+  (CAN-2005-1279 CAN-2005-1278), #156041
+
 * Mon Mar 7 2005 Martin Stransky <stransky redhat com>
 - rebuilt
 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]