diff options
| author | Jan Pavlinec <jan.pavlinec@nic.cz> | 2020-11-25 02:04:00 +0100 |
|---|---|---|
| committer | Petr Štetiar <ynezz@true.cz> | 2020-11-25 06:02:08 +0100 |
| commit | 6703abb7cae2eb524b2fb403aa4c71d71eb145ad (patch) | |
| tree | 248740ab04e139c75eef3036f3a80beb9a778e36 | |
| parent | b4698d87c8b39679b26a805b567b461341efd9ba (diff) | |
| download | upstream-6703abb7cae2eb524b2fb403aa4c71d71eb145ad.tar.gz upstream-6703abb7cae2eb524b2fb403aa4c71d71eb145ad.tar.bz2 upstream-6703abb7cae2eb524b2fb403aa4c71d71eb145ad.zip | |
tcpdump: patch CVE-2020-8037
This PR backports upstream fix for CVE-2020-8037. This fix is only
relevant for tcpdump package, tcpdump-mini is not affeted by this issue.
Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
[added missing commit description]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 5bb3cc749ee0d08d82acda3c084ff759f3829a91)
| -rw-r--r-- | package/network/utils/tcpdump/Makefile | 2 | ||||
| -rw-r--r-- | package/network/utils/tcpdump/patches/101-CVE-2020-8037.patch | 47 |
2 files changed, 48 insertions, 1 deletions
diff --git a/package/network/utils/tcpdump/Makefile b/package/network/utils/tcpdump/Makefile index 09b0b03766..3e4d9d2d73 100644 --- a/package/network/utils/tcpdump/Makefile +++ b/package/network/utils/tcpdump/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=tcpdump PKG_VERSION:=4.9.3 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=http://www.us.tcpdump.org/release/ \ diff --git a/package/network/utils/tcpdump/patches/101-CVE-2020-8037.patch b/package/network/utils/tcpdump/patches/101-CVE-2020-8037.patch new file mode 100644 index 0000000000..281854777d --- /dev/null +++ b/package/network/utils/tcpdump/patches/101-CVE-2020-8037.patch @@ -0,0 +1,47 @@ +--- a/print-ppp.c ++++ b/print-ppp.c +@@ -1368,19 +1368,29 @@ trunc: + } + + #ifndef TCPDUMP_MINI ++/* ++ * Un-escape RFC 1662 PPP in HDLC-like framing, with octet escapes. ++ * The length argument is the on-the-wire length, not the captured ++ * length; we can only un-escape the captured part. ++ */ + static void + ppp_hdlc(netdissect_options *ndo, + const u_char *p, int length) + { ++ u_int caplen = ndo->ndo_snapend - p; + u_char *b, *t, c; + const u_char *s; +- int i, proto; ++ u_int i; ++ int proto; + const void *se; + ++ if (caplen == 0) ++ return; ++ + if (length <= 0) + return; + +- b = (u_char *)malloc(length); ++ b = (u_char *)malloc(caplen); + if (b == NULL) + return; + +@@ -1389,10 +1399,10 @@ ppp_hdlc(netdissect_options *ndo, + * Do this so that we dont overwrite the original packet + * contents. + */ +- for (s = p, t = b, i = length; i > 0 && ND_TTEST(*s); i--) { ++ for (s = p, t = b, i = caplen; i != 0; i--) { + c = *s++; + if (c == 0x7d) { +- if (i <= 1 || !ND_TTEST(*s)) ++ if (i <= 1) + break; + i--; + c = *s++ ^ 0x20; |