git: bf0700716a2e - stable/13 - tcpdump: cope with incorrect packet lengths
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 18 Apr 2024 13:37:17 UTC
The branch stable/13 has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=bf0700716a2e04464311e0b585b947d7d3e825b9
commit bf0700716a2e04464311e0b585b947d7d3e825b9
Author: Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2024-04-01 09:42:14 +0000
Commit: Kristof Provost <kp@FreeBSD.org>
CommitDate: 2024-04-18 07:41:28 +0000
tcpdump: cope with incorrect packet lengths
It's possible for the capture buffer to be smaller than indicated by the
header length. However, pfsync_print() only took the header length into
account. As a result we could read outside of the buffer.
Check that we have at least the expected amount of data before we start
parsing.
PR: 278034
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D44580
(cherry picked from commit 4848eb3af2a91b133c4b70cb9b71dd92ffec7f46)
---
contrib/tcpdump/print-pfsync.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/contrib/tcpdump/print-pfsync.c b/contrib/tcpdump/print-pfsync.c
index dc1cd039f5b0..cb1c3f3828fa 100644
--- a/contrib/tcpdump/print-pfsync.c
+++ b/contrib/tcpdump/print-pfsync.c
@@ -86,7 +86,7 @@ pfsync_ip_print(netdissect_options *ndo , const u_char *bp, u_int len)
{
struct pfsync_header *hdr = (struct pfsync_header *)bp;
- if (len < PFSYNC_HDRLEN)
+ if (len < PFSYNC_HDRLEN || !ND_TTEST_LEN(bp, len))
ND_PRINT((ndo, "[|pfsync]"));
else
pfsync_print(ndo, hdr, bp + sizeof(struct pfsync_header),