diff options
| author | Peter Valchev <pvalchev@cvs.openbsd.org> | 2002-07-12 23:18:13 +0000 |
|---|---|---|
| committer | Peter Valchev <pvalchev@cvs.openbsd.org> | 2002-07-12 23:18:13 +0000 |
| commit | 68239f4de95f30fdf3196a2e421b243a870ebd5e (patch) | |
| tree | c61a6f39054415030231fa9ae695aa2994498c7e | |
| parent | 6f32bcf8110f2d1838463813f3eba9c10a01389a (diff) | |
In TTEST2(), check to make sure the "l" argument isn't so large that
"snapend - l" underflows; this fixes a buffer overflow with malformed
NFS packets, and may fix other buffer overflows with malformed packets.
From tcpdump CVS via fenner@FreeBSD
| -rw-r--r-- | usr.sbin/tcpdump/interface.h | 16 |
1 files changed, 12 insertions, 4 deletions
diff --git a/usr.sbin/tcpdump/interface.h b/usr.sbin/tcpdump/interface.h index 005251af9ea..4f576f1c605 100644 --- a/usr.sbin/tcpdump/interface.h +++ b/usr.sbin/tcpdump/interface.h @@ -1,4 +1,4 @@ -/* $OpenBSD: interface.h,v 1.31 2002/02/19 19:39:40 millert Exp $ */ +/* $OpenBSD: interface.h,v 1.32 2002/07/12 23:18:12 pvalchev Exp $ */ /* * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 @@ -20,7 +20,7 @@ * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * @(#) $Header: /cvs/OpenBSD/src/usr.sbin/tcpdump/interface.h,v 1.31 2002/02/19 19:39:40 millert Exp $ (LBL) + * @(#) $Header: /cvs/OpenBSD/src/usr.sbin/tcpdump/interface.h,v 1.32 2002/07/12 23:18:12 pvalchev Exp $ (LBL) */ #ifndef tcpdump_interface_h @@ -124,8 +124,16 @@ extern int snaplen; extern const u_char *packetp; extern const u_char *snapend; -/* True if "l" bytes of "var" were captured */ -#define TTEST2(var, l) ((u_char *)&(var) <= snapend - (l)) +/* + * True if "l" bytes of "var" were captured. + * + * The "snapend - (l) <= snapend" checks to make sure "l" isn't so large + * that "snapend - (l)" underflows. + * + * The check is for <= rather than < because "l" might be 0. + */ +#define TTEST2(var, l) (snapend - (l) <= snapend && \ + (const u_char *)&(var) <= snapend - (l)) /* True if "var" was captured */ #define TTEST(var) TTEST2(var, sizeof(var)) |