mirror of
https://git.freebsd.org/ports.git
synced 2025-06-18 19:20:36 -04:00
84cf2c81f7
Security: FreeBSD-SA-05:10.tcpdump Security: http://vuxml.FreeBSD.org/9fae0f1f-df82-11d9-b875-0001020eed82.html Security: CAN-2005-1267, CAN-2005-1278, CAN-2005-1279, CAN-2005-1280 Approved by: bms (maintainer)
99 lines
3.6 KiB
Text
99 lines
3.6 KiB
Text
Index: print-bgp.c
|
|
===================================================================
|
|
RCS file: /home/ncvs/src/print-bgp.c,v
|
|
retrieving revision 1.1.1.5
|
|
diff -u -d -r1.1.1.5 print-bgp.c
|
|
--- print-bgp.c 31 Mar 2004 09:16:43 -0000 1.1.1.5
|
|
+++ print-bgp.c 30 May 2005 21:03:44 -0000
|
|
@@ -1216,6 +1216,8 @@
|
|
tptr = pptr + len;
|
|
break;
|
|
}
|
|
+ if (advance < 0) /* infinite loop protection */
|
|
+ break;
|
|
tptr += advance;
|
|
}
|
|
break;
|
|
@@ -1646,9 +1648,10 @@
|
|
while (dat + length > p) {
|
|
char buf[MAXHOSTNAMELEN + 100];
|
|
i = decode_prefix4(p, buf, sizeof(buf));
|
|
- if (i == -1)
|
|
+ if (i == -1) {
|
|
printf("\n\t (illegal prefix length)");
|
|
- else if (i == -2)
|
|
+ break;
|
|
+ } else if (i == -2)
|
|
goto trunc;
|
|
else {
|
|
printf("\n\t %s", buf);
|
|
Index: print-isoclns.c
|
|
===================================================================
|
|
RCS file: /home/ncvs/src/print-isoclns.c,v
|
|
retrieving revision 1.12
|
|
diff -u -d -r1.12 print-isoclns.c
|
|
--- print-isoclns.c 31 Mar 2004 14:57:24 -0000 1.12
|
|
+++ print-isoclns.c 22 May 2005 21:49:06 -0000
|
|
@@ -1508,6 +1508,9 @@
|
|
tlv_type,
|
|
tlv_len);
|
|
|
|
+ if (tlv_len == 0) /* something is malformed */
|
|
+ break;
|
|
+
|
|
/* now check if we have a decoder otherwise do a hexdump at the end*/
|
|
switch (tlv_type) {
|
|
case TLV_AREA_ADDR:
|
|
@@ -1538,7 +1541,7 @@
|
|
break;
|
|
|
|
case TLV_ISNEIGH_VARLEN:
|
|
- if (!TTEST2(*tptr, 1))
|
|
+ if (!TTEST2(*tptr, 1) || tmp < 3) /* min. TLV length */
|
|
goto trunctlv;
|
|
lan_alen = *tptr++; /* LAN adress length */
|
|
tmp --;
|
|
Index: print-ldp.c
|
|
===================================================================
|
|
RCS file: /home/ncvs/src/print-ldp.c,v
|
|
retrieving revision 1.1.1.1
|
|
diff -u -d -r1.1.1.1 print-ldp.c
|
|
--- print-ldp.c 31 Mar 2004 09:16:56 -0000 1.1.1.1
|
|
+++ print-ldp.c 30 May 2005 21:11:28 -0000
|
|
@@ -326,6 +326,9 @@
|
|
EXTRACT_32BITS(&ldp_msg_header->id),
|
|
LDP_MASK_U_BIT(EXTRACT_16BITS(&ldp_msg_header->type)) ? "continue processing" : "ignore");
|
|
|
|
+ if (msg_len == 0) /* infinite loop protection */
|
|
+ break;
|
|
+
|
|
msg_tptr=tptr+sizeof(struct ldp_msg_header);
|
|
msg_tlen=msg_len-sizeof(struct ldp_msg_header)+4; /* Type & Length fields not included */
|
|
|
|
Index: print-rsvp.c
|
|
===================================================================
|
|
RCS file: /home/ncvs/src/print-rsvp.c,v
|
|
retrieving revision 1.1.1.1
|
|
diff -u -d -r1.1.1.1 print-rsvp.c
|
|
--- print-rsvp.c 31 Mar 2004 09:17:07 -0000 1.1.1.1
|
|
+++ print-rsvp.c 21 May 2005 20:13:29 -0000
|
|
@@ -875,10 +875,17 @@
|
|
switch(rsvp_obj_ctype) {
|
|
case RSVP_CTYPE_IPV4:
|
|
while(obj_tlen >= 4 ) {
|
|
- printf("\n\t Subobject Type: %s",
|
|
+ printf("\n\t Subobject Type: %s, length %u",
|
|
tok2str(rsvp_obj_xro_values,
|
|
"Unknown %u",
|
|
- RSVP_OBJ_XRO_MASK_SUBOBJ(*obj_tptr)));
|
|
+ RSVP_OBJ_XRO_MASK_SUBOBJ(*obj_tptr)),
|
|
+ *(obj_tptr+1));
|
|
+
|
|
+ if (*(obj_tptr+1) == 0) { /* prevent infinite loops */
|
|
+ printf("\n\t ERROR: zero length ERO subtype");
|
|
+ break;
|
|
+ }
|
|
+
|
|
switch(RSVP_OBJ_XRO_MASK_SUBOBJ(*obj_tptr)) {
|
|
case RSVP_OBJ_XRO_IPV4:
|
|
printf(", %s, %s/%u, Flags: [%s]",
|