diff options
| author | Denis Ovsienko <denis@ovsienko.info> | 2017-01-10 14:12:14 +0000 |
|---|---|---|
| committer | Francois-Xavier Le Bail <fx.lebail@yahoo.com> | 2017-01-18 09:16:41 +0100 |
| commit | 0db4dcafe5ae38201d3869c96a96cb714d82ff35 (patch) | |
| tree | 76b386608be938d6b041175122ec9778f8166d86 /print-geneve.c | |
| parent | 409ffe94529df3d8bb8258bf99586f821756cb29 (diff) | |
| download | tcpdump-0db4dcafe5ae38201d3869c96a96cb714d82ff35.tar.gz | |
CVE-2017-5342/pass correct caplen value to ether_print()
In that function the "length" parameter means off-the-wire length, that
is, the length declared inside the outer header. The "caplen" parameter
means the amount of bytes actually available in the captured packet.
gre_print_0() and the functions modelled after it passed the value of
"length" instead of the value of "caplen", this could make ether_print()
access beyond the memory allocated for the captured packet. Brian
Carpenter had demonstrated this for the OTV case.
Fix the involved functions that call ether_print() to pass the correct
value and leave a comment to dismiss "caplen" later as its value can be
reliably derived from the other ether_print() parameters.
Diffstat (limited to 'print-geneve.c')
| -rw-r--r-- | print-geneve.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/print-geneve.c b/print-geneve.c index f0319636..d1ed242f 100644 --- a/print-geneve.c +++ b/print-geneve.c @@ -225,7 +225,7 @@ geneve_print(netdissect_options *ndo, const u_char *bp, u_int len) if (ethertype_print(ndo, prot, bp, len, len, NULL, NULL) == 0) { if (prot == ETHERTYPE_TEB) - ether_print(ndo, bp, len, len, NULL, NULL); + ether_print(ndo, bp, len, ndo->ndo_snapend - bp, NULL, NULL); else ND_PRINT((ndo, "geneve-proto-0x%x", prot)); } |