Fix -V to fail invalid input safely

This change fixes CVE-2018-14879. get_next_file() did not check the return value of strlen() and underflowed an array index if the line read by fgets() from the file started with \0. This caused an out-of-bounds read and could cause a write. Add the missing check. This vulnerability was discovered by Brian Carpenter & Geeknik Labs. Cherry picked from 9ba91381954ad325ea4fd26b9c65a8bd9a2a85b6 in 4.9 branch.
author: Denis Ovsienko <denis@ovsienko.info> 2018-06-17 22:15:19 +0100
committer: Francois-Xavier Le Bail <devel.fx.lebail@orange.fr> 2019-10-27 21:00:52 +0100
commit: 7ade781cf7ea6f067a2cab0406c8309fd3339eb4 (patch)
tree: c0c5cca8f8fe6a12105dab3d2f81dfb61e02d86c /tcpdump.c
parent: b374c49a582318ce0653494f6344911d4dcacb0f (diff)
download: tcpdump-7ade781cf7ea6f067a2cab0406c8309fd3339eb4.tar.gz
1 files changed, 4 insertions, 2 deletions
diff --git a/tcpdump.c b/tcpdump.c
index a9c2b7dc..bf4f2ef5 100644
--- a/tcpdump.c
+++ b/tcpdump.c
@@ -854,13 +854,15 @@ static char *
 get_next_file(FILE *VFile, char *ptr)
 {
 	char *ret;
+	size_t len;
 
 	ret = fgets(ptr, PATH_MAX, VFile);
 	if (!ret)
 		return NULL;
 
-	if (ptr[strlen(ptr) - 1] == '\n')
-		ptr[strlen(ptr) - 1] = '\0';
+	len = strlen (ptr);
+	if (len > 0 && ptr[len - 1] == '\n')
+		ptr[len - 1] = '\0';
 
 	return ret;
 }
author	Denis Ovsienko <denis@ovsienko.info>	2018-06-17 22:15:19 +0100
committer	Francois-Xavier Le Bail <devel.fx.lebail@orange.fr>	2019-10-27 21:00:52 +0100
commit	7ade781cf7ea6f067a2cab0406c8309fd3339eb4 (patch)
tree	c0c5cca8f8fe6a12105dab3d2f81dfb61e02d86c /tcpdump.c
parent	b374c49a582318ce0653494f6344911d4dcacb0f (diff)
download	tcpdump-7ade781cf7ea6f067a2cab0406c8309fd3339eb4.tar.gz