diff options
| author | Denis Ovsienko <denis@ovsienko.info> | 2017-01-10 14:12:14 +0000 |
|---|---|---|
| committer | Francois-Xavier Le Bail <fx.lebail@yahoo.com> | 2017-01-18 09:16:41 +0100 |
| commit | 0db4dcafe5ae38201d3869c96a96cb714d82ff35 (patch) | |
| tree | 76b386608be938d6b041175122ec9778f8166d86 /print-nsh.c | |
| parent | 409ffe94529df3d8bb8258bf99586f821756cb29 (diff) | |
| download | tcpdump-0db4dcafe5ae38201d3869c96a96cb714d82ff35.tar.gz | |
CVE-2017-5342/pass correct caplen value to ether_print()
In that function the "length" parameter means off-the-wire length, that
is, the length declared inside the outer header. The "caplen" parameter
means the amount of bytes actually available in the captured packet.
gre_print_0() and the functions modelled after it passed the value of
"length" instead of the value of "caplen", this could make ether_print()
access beyond the memory allocated for the captured packet. Brian
Carpenter had demonstrated this for the OTV case.
Fix the involved functions that call ether_print() to pass the correct
value and leave a comment to dismiss "caplen" later as its value can be
reliably derived from the other ether_print() parameters.
Diffstat (limited to 'print-nsh.c')
| -rw-r--r-- | print-nsh.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/print-nsh.c b/print-nsh.c index 82976a03..abd722d4 100644 --- a/print-nsh.c +++ b/print-nsh.c @@ -170,7 +170,7 @@ nsh_print(netdissect_options *ndo, const u_char *bp, u_int len) ip6_print(ndo, bp, next_len); break; case 0x3: - ether_print(ndo, bp, next_len, next_len, NULL, NULL); + ether_print(ndo, bp, next_len, ndo->ndo_snapend - bp, NULL, NULL); break; default: ND_PRINT((ndo, "ERROR: unknown-next-protocol")); |