Correct several denial-of-service vulnerabilities in tcpdump.

Security: FreeBSD-SA-05:10.tcpdump Security: CAN-2005-1267, CAN-2005-1278, CAN-2005-1279, CAN-2005-1280 Obtained from: tcpdump.org
svn path=/vendor/tcpdump/dist/; revision=147173
2005-06-09 15:42:58 +00:00 · 2005-06-09 15:42:58 +00:00 · cc157742d1 · 2020-12-20 02:59:44 +00:00
commit cc157742d1
parent d93a098204
3 changed files with 17 additions and 6 deletions
--- a/contrib/tcpdump/print-bgp.c
+++ b/contrib/tcpdump/print-bgp.c
@ -1798,9 +1798,10 @@ bgp_update_print(const u_char *dat, int length)
 		while (dat + length > p) {
 			char buf[MAXHOSTNAMELEN + 100];
 			i = decode_prefix4(p, buf, sizeof(buf));
-			if (i == -1)
+			if (i == -1) {
 				printf("\n\t    (illegal prefix length)");
-			else if (i == -2)
+				break;
+			} else if (i == -2)
 				goto trunc;
 			else {
 				printf("\n\t    %s", buf);
--- a/contrib/tcpdump/print-isoclns.c
+++ b/contrib/tcpdump/print-isoclns.c
@ -1905,6 +1905,9 @@ static int isis_print (const u_int8_t *p, u_int length)
               tlv_type,
               tlv_len);

+        if (tlv_len == 0) /* something is malformed */
+            break;
+
        /* now check if we have a decoder otherwise do a hexdump at the end*/
 	switch (tlv_type) {
 	case ISIS_TLV_AREA_ADDR:
@ -1935,7 +1938,7 @@ static int isis_print (const u_int8_t *p, u_int length)
 	    break;

        case ISIS_TLV_ISNEIGH_VARLEN:
-            if (!TTEST2(*tptr, 1))
+            if (!TTEST2(*tptr, 1) || tmp < 3) /* min. TLV length */
 		goto trunctlv;
 	    lan_alen = *tptr++; /* LAN adress length */
            tmp --;
--- a/contrib/tcpdump/print-rsvp.c
+++ b/contrib/tcpdump/print-rsvp.c
@ -558,7 +558,7 @@ rsvp_obj_print (const u_char *tptr, const char *ident, u_int tlen) {
        rsvp_obj_ctype=rsvp_obj_header->ctype;

        if(rsvp_obj_len % 4 || rsvp_obj_len < sizeof(struct rsvp_object_header)) {
-            printf("ERROR: object header too short %u < %lu", rsvp_obj_len,
+            printf("%sERROR: object header too short %u < %lu", ident, rsvp_obj_len,
                   (unsigned long)sizeof(const struct rsvp_object_header));
            return -1;
        }
@ -883,11 +883,18 @@ rsvp_obj_print (const u_char *tptr, const char *ident, u_int tlen) {
            switch(rsvp_obj_ctype) {
            case RSVP_CTYPE_IPV4:
                while(obj_tlen >= 4 ) {
-                    printf("%s  Subobject Type: %s",
+                    printf("%s  Subobject Type: %s, length %u",
                           ident,
                           tok2str(rsvp_obj_xro_values,
                                   "Unknown %u",
-                                   RSVP_OBJ_XRO_MASK_SUBOBJ(*obj_tptr)));                
+                                   RSVP_OBJ_XRO_MASK_SUBOBJ(*obj_tptr)),
+                           *(obj_tptr+1));                
+
+                    if (*(obj_tptr+1) == 0) { /* prevent infinite loops */
+                        printf("%s  ERROR: zero length ERO subtype",ident);
+                        break;
+                    }
+
                    switch(RSVP_OBJ_XRO_MASK_SUBOBJ(*obj_tptr)) {
                    case RSVP_OBJ_XRO_IPV4:
                        printf(", %s, %s/%u, Flags: [%s]",