diff options
| author | Guy Harris <guy@alum.mit.edu> | 2017-03-06 20:12:33 -0800 |
|---|---|---|
| committer | Denis Ovsienko <denis@ovsienko.info> | 2017-09-13 12:25:44 +0100 |
| commit | 877b66b398518d9501513e0860c9f3a8acc70892 (patch) | |
| tree | fc55be4b67b639001705ad8442f10261ca605462 /print-beep.c | |
| parent | db8c799f6dfc68765c9451fcbfca06e662f5bd5f (diff) | |
| download | tcpdump-877b66b398518d9501513e0860c9f3a8acc70892.tar.gz | |
CVE-2017-13010/BEEP: Do bounds checking when comparing strings.
This fixes a buffer over-read discovered by Brian 'geeknik' Carpenter.
Add a test using the capture file supplied by the reporter(s).
Diffstat (limited to 'print-beep.c')
| -rw-r--r-- | print-beep.c | 26 |
1 files changed, 17 insertions, 9 deletions
diff --git a/print-beep.c b/print-beep.c index ed502b96..64a162d7 100644 --- a/print-beep.c +++ b/print-beep.c @@ -28,9 +28,17 @@ */ static int -l_strnstart(const char *tstr1, u_int tl1, const char *str2, u_int l2) +l_strnstart(netdissect_options *ndo, const char *tstr1, u_int tl1, + const char *str2, u_int l2) { - + if (!ND_TTEST2(*str2, tl1)) { + /* + * We don't have tl1 bytes worth of captured data + * for the string, so we can't check for this + * string. + */ + return 0; + } if (tl1 > l2) return 0; @@ -41,19 +49,19 @@ void beep_print(netdissect_options *ndo, const u_char *bp, u_int length) { - if (l_strnstart("MSG", 4, (const char *)bp, length)) /* A REQuest */ + if (l_strnstart(ndo, "MSG", 4, (const char *)bp, length)) /* A REQuest */ ND_PRINT((ndo, " BEEP MSG")); - else if (l_strnstart("RPY ", 4, (const char *)bp, length)) + else if (l_strnstart(ndo, "RPY ", 4, (const char *)bp, length)) ND_PRINT((ndo, " BEEP RPY")); - else if (l_strnstart("ERR ", 4, (const char *)bp, length)) + else if (l_strnstart(ndo, "ERR ", 4, (const char *)bp, length)) ND_PRINT((ndo, " BEEP ERR")); - else if (l_strnstart("ANS ", 4, (const char *)bp, length)) + else if (l_strnstart(ndo, "ANS ", 4, (const char *)bp, length)) ND_PRINT((ndo, " BEEP ANS")); - else if (l_strnstart("NUL ", 4, (const char *)bp, length)) + else if (l_strnstart(ndo, "NUL ", 4, (const char *)bp, length)) ND_PRINT((ndo, " BEEP NUL")); - else if (l_strnstart("SEQ ", 4, (const char *)bp, length)) + else if (l_strnstart(ndo, "SEQ ", 4, (const char *)bp, length)) ND_PRINT((ndo, " BEEP SEQ")); - else if (l_strnstart("END", 4, (const char *)bp, length)) + else if (l_strnstart(ndo, "END", 4, (const char *)bp, length)) ND_PRINT((ndo, " BEEP END")); else ND_PRINT((ndo, " BEEP (payload or undecoded)")); |