git: dc16f5fe1422 - stable/14 - tcpdump: cope with incorrect packet lengths
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 18 Apr 2024 13:37:05 UTC
The branch stable/14 has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=dc16f5fe14226da84ea4e77b04d31efa5c5f6853
commit dc16f5fe14226da84ea4e77b04d31efa5c5f6853
Author: Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2024-04-01 09:42:14 +0000
Commit: Kristof Provost <kp@FreeBSD.org>
CommitDate: 2024-04-18 13:35:52 +0000
tcpdump: cope with incorrect packet lengths
It's possible for the capture buffer to be smaller than indicated by the
header length. However, pfsync_print() only took the header length into
account. As a result we could read outside of the buffer.
Check that we have at least the expected amount of data before we start
parsing.
PR: 278034
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D44580
(cherry picked from commit 4848eb3af2a91b133c4b70cb9b71dd92ffec7f46)
---
contrib/tcpdump/print-pfsync.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/contrib/tcpdump/print-pfsync.c b/contrib/tcpdump/print-pfsync.c
index 5710e36ded6c..6bf9abaf3903 100644
--- a/contrib/tcpdump/print-pfsync.c
+++ b/contrib/tcpdump/print-pfsync.c
@@ -86,7 +86,7 @@ pfsync_ip_print(netdissect_options *ndo , const u_char *bp, u_int len)
{
struct pfsync_header *hdr = (struct pfsync_header *)bp;
- if (len < PFSYNC_HDRLEN)
+ if (len < PFSYNC_HDRLEN || !ND_TTEST_LEN(bp, len))
ND_PRINT("[|pfsync]");
else
pfsync_print(ndo, hdr, bp + sizeof(struct pfsync_header),