git: dc16f5fe1422 - stable/14 - tcpdump: cope with incorrect packet lengths
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 18 Apr 2024 13:37:05 UTC
The branch stable/14 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=dc16f5fe14226da84ea4e77b04d31efa5c5f6853 commit dc16f5fe14226da84ea4e77b04d31efa5c5f6853 Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2024-04-01 09:42:14 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2024-04-18 13:35:52 +0000 tcpdump: cope with incorrect packet lengths It's possible for the capture buffer to be smaller than indicated by the header length. However, pfsync_print() only took the header length into account. As a result we could read outside of the buffer. Check that we have at least the expected amount of data before we start parsing. PR: 278034 MFC after: 2 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D44580 (cherry picked from commit 4848eb3af2a91b133c4b70cb9b71dd92ffec7f46) --- contrib/tcpdump/print-pfsync.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/tcpdump/print-pfsync.c b/contrib/tcpdump/print-pfsync.c index 5710e36ded6c..6bf9abaf3903 100644 --- a/contrib/tcpdump/print-pfsync.c +++ b/contrib/tcpdump/print-pfsync.c @@ -86,7 +86,7 @@ pfsync_ip_print(netdissect_options *ndo , const u_char *bp, u_int len) { struct pfsync_header *hdr = (struct pfsync_header *)bp; - if (len < PFSYNC_HDRLEN) + if (len < PFSYNC_HDRLEN || !ND_TTEST_LEN(bp, len)) ND_PRINT("[|pfsync]"); else pfsync_print(ndo, hdr, bp + sizeof(struct pfsync_header),