Bug#781362: tcpdump: regression after fix CVE-2015-2153

[Artur Rona]

Package: src:tcpdump
Version: 4.6.2-4
Tags: patch
Usertags: origin-ubuntu ubuntu-patch vivid

In Ubuntu, we've applied the attached patch to achieve the following:

  * debian/patches/60_cve-2015-2153-fix-regression.diff:
    - Fix regression due to 60_cve-2015-2153.diff

We thought you might be interested in doing the same.

Description: RPKI to Router Protocol: Fix Segmentation Faults and other problems.
                 - Fix/add ND_TCHECK2 tests,
                 - Fix a buffer overflow,
                 - Remove a debug printf
Origin: upstream, https://github.com/the-tcpdump-group/tcpdump/commit/fb6e5377f392555b8c725f66b8b701f0061a3695

diff -pruN -x '*~' tcpdump-4.6.2.orig/print-rpki-rtr.c tcpdump-4.6.2/print-rpki-rtr.c
--- tcpdump-4.6.2.orig/print-rpki-rtr.c	2015-03-22 12:55:55.349173971 +0100
+++ tcpdump-4.6.2/print-rpki-rtr.c	2015-03-22 12:49:56.987396951 +0100
@@ -178,7 +178,7 @@ rpki_rtr_pdu_print (netdissect_options *
     pdu_header = (rpki_rtr_pdu *)tptr;
     pdu_type = pdu_header->pdu_type;
     pdu_len = EXTRACT_32BITS(pdu_header->length);
-    ND_TCHECK2(tptr, pdu_len);
+    ND_TCHECK2(*tptr, pdu_len);
     hexdump = FALSE;
 
     ND_PRINT((ndo, "%sRPKI-RTRv%u, %s PDU (%u), length: %u",
@@ -255,6 +255,7 @@ rpki_rtr_pdu_print (netdissect_options *
 
 	    pdu = (rpki_rtr_pdu_error_report *)tptr;
 	    encapsulated_pdu_length = EXTRACT_32BITS(pdu->encapsulated_pdu_length);
+	    ND_TCHECK2(*tptr, encapsulated_pdu_length);
 	    tlen = pdu_len;
 
 	    error_code = EXTRACT_16BITS(pdu->pdu_header.u.error_code);
@@ -287,9 +288,10 @@ rpki_rtr_pdu_print (netdissect_options *
 		tptr += 4;
 		tlen -= 4;
 	    }
+	    ND_TCHECK2(*tptr, text_length);
 	    if (text_length && (text_length <= tlen )) {
 		memcpy(buf, tptr, min(sizeof(buf)-1, text_length));
-		buf[text_length] = '\0';
+		buf[min(sizeof(buf) - 1, text_length)] = '\0';
 		ND_PRINT((ndo, "%sError text: %s", indent_string(indent+2), buf));
 	    }
 	}
@@ -336,13 +338,13 @@ rpki_rtr_print(netdissect_options *ndo,
 	pdu_header = (rpki_rtr_pdu *)tptr;
         pdu_type = pdu_header->pdu_type;
         pdu_len = EXTRACT_32BITS(pdu_header->length);
+	ND_TCHECK2(*tptr, pdu_len);
 
         /* infinite loop check */
         if (!pdu_type || !pdu_len) {
             break;
         }
 
-        ND_TCHECK2(*tptr, pdu_len);
         if (tlen < pdu_len) {
             goto trunc;
         }