SOURCES: tcpdump-CVE-2007-3798.patch (NEW) - fix http://secunia.co...
undefine
undefine at pld-linux.org
Thu Jul 19 21:28:57 CEST 2007
Author: undefine Date: Thu Jul 19 19:28:57 2007 GMT
Module: SOURCES Tag: HEAD
---- Log message:
- fix http://secunia.com/advisories/26135/
---- Files affected:
SOURCES:
tcpdump-CVE-2007-3798.patch (NONE -> 1.1) (NEW)
---- Diffs:
================================================================
Index: SOURCES/tcpdump-CVE-2007-3798.patch
diff -u /dev/null SOURCES/tcpdump-CVE-2007-3798.patch:1.1
--- /dev/null Thu Jul 19 21:28:57 2007
+++ SOURCES/tcpdump-CVE-2007-3798.patch Thu Jul 19 21:28:52 2007
@@ -0,0 +1,98 @@
+===================================================================
+RCS file: /tcpdump/master/tcpdump/print-bgp.c,v
+retrieving revision 1.91.2.11
+retrieving revision 1.91.2.12
+diff -u -r1.91.2.11 -r1.91.2.12
+--- tcpdump/print-bgp.c 2007/02/26 13:31:33 1.91.2.11
++++ tcpdump/print-bgp.c 2007/07/14 22:26:35 1.91.2.12
+@@ -36,7 +36,7 @@
+
+ #ifndef lint
+ static const char rcsid[] _U_ =
+- "@(#) $Header$";
++ "@(#) $Header$";
+ #endif
+
+ #include <tcpdump-stdinc.h>
+@@ -609,6 +609,26 @@
+ return -2;
+ }
+
++/*
++ * As I remember, some versions of systems have an snprintf() that
++ * returns -1 if the buffer would have overflowed. If the return
++ * value is negative, set buflen to 0, to indicate that we've filled
++ * the buffer up.
++ *
++ * If the return value is greater than buflen, that means that
++ * the buffer would have overflowed; again, set buflen to 0 in
++ * that case.
++ */
++#define UPDATE_BUF_BUFLEN(buf, buflen, strlen) \
++ if (strlen<0) \
++ buflen=0; \
++ else if ((u_int)strlen>buflen) \
++ buflen=0; \
++ else { \
++ buflen-=strlen; \
++ buf+=strlen; \
++ }
++
+ static int
+ decode_labeled_vpn_l2(const u_char *pptr, char *buf, u_int buflen)
+ {
+@@ -619,11 +639,13 @@
+ tlen=plen;
+ pptr+=2;
+ TCHECK2(pptr[0],15);
++ buf[0]='\0';
+ strlen=snprintf(buf, buflen, "RD: %s, CE-ID: %u, Label-Block Offset: %u, Label Base %u",
+ bgp_vpn_rd_print(pptr),
+ EXTRACT_16BITS(pptr+8),
+ EXTRACT_16BITS(pptr+10),
+ EXTRACT_24BITS(pptr+12)>>4); /* the label is offsetted by 4 bits so lets shift it right */
++ UPDATE_BUF_BUFLEN(buf, buflen, strlen);
+ pptr+=15;
+ tlen-=15;
+
+@@ -639,23 +661,32 @@
+
+ switch(tlv_type) {
+ case 1:
+- strlen+=snprintf(buf+strlen,buflen-strlen, "\n\t\tcircuit status vector (%u) length: %u: 0x",
+- tlv_type,
+- tlv_len);
++ if (buflen!=0) {
++ strlen=snprintf(buf,buflen, "\n\t\tcircuit status vector (%u) length: %u: 0x",
++ tlv_type,
++ tlv_len);
++ UPDATE_BUF_BUFLEN(buf, buflen, strlen);
++ }
+ ttlv_len=ttlv_len/8+1; /* how many bytes do we need to read ? */
+ while (ttlv_len>0) {
+ TCHECK(pptr[0]);
+- strlen+=snprintf(buf+strlen,buflen-strlen, "%02x",*pptr++);
++ if (buflen!=0) {
++ strlen=snprintf(buf,buflen, "%02x",*pptr++);
++ UPDATE_BUF_BUFLEN(buf, buflen, strlen);
++ }
+ ttlv_len--;
+ }
+ break;
+ default:
+- snprintf(buf+strlen,buflen-strlen, "\n\t\tunknown TLV #%u, length: %u",
+- tlv_type,
+- tlv_len);
++ if (buflen!=0) {
++ strlen=snprintf(buf,buflen, "\n\t\tunknown TLV #%u, length: %u",
++ tlv_type,
++ tlv_len);
++ UPDATE_BUF_BUFLEN(buf, buflen, strlen);
++ }
+ break;
+ }
+- tlen-=(tlv_len<<3); /* the tlv-length is expressed in bits so lets shift it tright */
++ tlen-=(tlv_len<<3); /* the tlv-length is expressed in bits so lets shift it right */
+ }
+ return plen+2;
+
================================================================
More information about the pld-cvs-commit
mailing list