OpenPKG CVS Repository http://cvs.openpkg.org/ ____________________________________________________________________________
Server: cvs.openpkg.org Name: Michael Schloh Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src Date: 07-Apr-2004 17:44:02 Branch: OPENPKG_1_3_SOLID Handle: 2004040716440200 Modified files: (Branch: OPENPKG_1_3_SOLID) openpkg-src/tcpdump tcpdump.patch tcpdump.spec Log: OpenPKG-SA-2004.010-tcpdump (CAN-2004-0183 and CAN-2004-0184): Integrate patch code from debian's tcpdump_3.7.2-4.diff.gz to avoid denial of service from reading ISAKMP packets with malformed delete payloads and identification payloads Summary: Revision Changes Path 1.1.6.2.2.2 +495 -11 openpkg-src/tcpdump/tcpdump.patch 1.25.2.3.2.3+1 -1 openpkg-src/tcpdump/tcpdump.spec ____________________________________________________________________________ patch -p0 <<'@@ .' Index: openpkg-src/tcpdump/tcpdump.patch ============================================================================ $ cvs diff -u -r1.1.6.2.2.1 -r1.1.6.2.2.2 tcpdump.patch --- openpkg-src/tcpdump/tcpdump.patch 16 Jan 2004 12:38:59 -0000 1.1.6.2.2.1 +++ openpkg-src/tcpdump/tcpdump.patch 7 Apr 2004 15:44:02 -0000 1.1.6.2.2.2 @@ -19,17 +19,19 @@ tcpdump patch patrix; [EMAIL PROTECTED] - tcpdump 371 371 372 381 - OpenPKG 120 121 130 20020822 - --- --- --- --- - CAN-2002-0380 nfs y n n n see past OpenPKG-SA-2003.014-tcpdump - CAN-2002-1350 bgp y n n n see past OpenPKG-SA-2003.014-tcpdump - CAN-2003-0108 isakmp y n n n see past OpenPKG-SA-2003.014-tcpdump - depth y y y n (*) - CAN-2003-0989 isakmp y y y n updates CAN-2003-0108-isakmp - CAN-2003-1029 l2tp y y n n - CAN-2004-0055 radius y y y y - CAN-2004-0057 isakmp y y y y + tcpdump 371 371 372 372 381 + OpenPKG 120 121 130 131 20020822 + --- --- --- --- --- + CAN-2002-0380 nfs y n n n n see past OpenPKG-SA-2003.014-tcpdump + CAN-2002-1350 bgp y n n n n see past OpenPKG-SA-2003.014-tcpdump + CAN-2003-0108 isakmp y n n n n see past OpenPKG-SA-2003.014-tcpdump + depth y y y n n (*) + CAN-2003-0989 isakmp y y y n n updates CAN-2003-0108-isakmp + CAN-2003-1029 l2tp y y n n n + CAN-2004-0055 radius y y y y y + CAN-2004-0057 isakmp y y y y y + CAN-2004-0183 isakmp y y y y y + CAN-2004-0184 isakmp y y y y y (*) the vendor code fix for CAN-2003-0108 had two other unrelated code changes piggybacked. We removed the cosmetics (constify) and @@ -492,3 +494,485 @@ static char * +Index: print-isakmp.c +diff -Nau print-isakmp.c.CAN-2004-0183 print-isakmp.c +--- print-isakmp.c.CAN-2004-0183 2004-04-07 16:29:55.000000000 +0200 ++++ print-isakmp.c 2004-04-07 17:16:45.000000000 +0200 +@@ -326,7 +326,7 @@ + return 0; + } + +-static void ++static int + rawprint(caddr_t loc, size_t len) + { + static u_char *p; +@@ -337,8 +337,9 @@ + p = (u_char *)loc; + for (i = 0; i < len; i++) + printf("%02x", p[i] & 0xff); ++ return 1; + trunc: +- return; ++ return 0; + } + + struct attrmap { +@@ -430,6 +431,7 @@ + printf("%s:", NPSTR(ISAKMP_NPTYPE_SA)); + + p = (struct isakmp_pl_sa *)ext; ++ TCHECK(*p); + safememcpy(&sa, ext, sizeof(sa)); + doi = ntohl(sa.doi); + sit = ntohl(sa.sit); +@@ -456,16 +458,21 @@ + + np = (u_char *)ext + sizeof(sa); + if (sit != 0x01) { ++ TCHECK2(*(ext + 1), sizeof(ident)); + safememcpy(&ident, ext + 1, sizeof(ident)); + printf(" ident=%u", (u_int32_t)ntohl(ident)); + np += sizeof(ident); + } + + ext = (struct isakmp_gen *)np; ++ TCHECK(*ext); + + cp = isakmp_sub_print(ISAKMP_NPTYPE_P, ext, ep, phase, doi, proto0, depth); + + return cp; ++trunc: ++ printf(" [|%s]", NPSTR(ISAKMP_NPTYPE_SA)); ++ return NULL; + } + + static u_char * +@@ -478,20 +485,26 @@ + printf("%s:", NPSTR(ISAKMP_NPTYPE_P)); + + p = (struct isakmp_pl_p *)ext; ++ TCHECK(*p); + safememcpy(&prop, ext, sizeof(prop)); + printf(" #%d protoid=%s transform=%d", + prop.p_no, PROTOIDSTR(prop.prot_id), prop.num_t); + if (prop.spi_size) { + printf(" spi="); +- rawprint((caddr_t)(p + 1), prop.spi_size); ++ if (!rawprint((caddr_t)(p + 1), prop.spi_size)) ++ goto trunc; + } + + ext = (struct isakmp_gen *)((u_char *)(p + 1) + prop.spi_size); ++ TCHECK(*ext); + + cp = isakmp_sub_print(ISAKMP_NPTYPE_T, ext, ep, phase, doi0, + prop.prot_id, depth); + + return cp; ++trunc: ++ printf(" [|%s]", NPSTR(ISAKMP_NPTYPE_P)); ++ return NULL; + } + + static char *isakmp_p_map[] = { +@@ -564,6 +577,7 @@ + printf("%s:", NPSTR(ISAKMP_NPTYPE_T)); + + p = (struct isakmp_pl_t *)ext; ++ TCHECK(*p); + safememcpy(&t, ext, sizeof(t)); + + switch (proto) { +@@ -610,6 +624,9 @@ + if (ep < ep2) + printf("..."); + return cp; ++trunc: ++ printf(" [|%s]", NPSTR(ISAKMP_NPTYPE_T)); ++ return NULL; + } + + static u_char * +@@ -620,13 +637,18 @@ + + printf("%s:", NPSTR(ISAKMP_NPTYPE_KE)); + ++ TCHECK(*ext); + safememcpy(&e, ext, sizeof(e)); + printf(" key len=%d", ntohs(e.len) - 4); + if (2 < vflag && 4 < ntohs(e.len)) { + printf(" "); +- rawprint((caddr_t)(ext + 1), ntohs(e.len) - 4); ++ if (!rawprint((caddr_t)(ext + 1), ntohs(e.len) - 4)) ++ goto trunc; + } + return (u_char *)ext + ntohs(e.len); ++trunc: ++ printf(" [|%s]", NPSTR(ISAKMP_NPTYPE_KE)); ++ return NULL; + } + + static u_char * +@@ -649,12 +671,15 @@ + printf("%s:", NPSTR(ISAKMP_NPTYPE_ID)); + + p = (struct isakmp_pl_id *)ext; ++ TCHECK(*p); + safememcpy(&id, ext, sizeof(id)); +- if (sizeof(*p) < id.h.len) ++ if (sizeof(*p) < ntohs(id.h.len)) { + data = (u_char *)(p + 1); +- else ++ len = ntohs(id.h.len) - sizeof(*p); ++ } else { + data = NULL; +- len = ntohs(id.h.len) - sizeof(*p); ++ len = 0; ++ } + + #if 0 /*debug*/ + printf(" [phase=%d doi=%d proto=%d]", phase, doi, proto); +@@ -678,6 +703,7 @@ + struct protoent *pe; + + p = (struct ipsecdoi_id *)ext; ++ TCHECK(*p); + safememcpy(&id, ext, sizeof(id)); + printf(" idtype=%s", STR_OR_ID(id.type, ipsecidtypestr)); + if (id.proto_id) { +@@ -693,9 +719,15 @@ + printf(" port=%d", ntohs(id.port)); + if (!len) + break; ++ if (data == NULL) ++ goto trunc; ++ TCHECK2(*data, len); + switch (id.type) { + case IPSECDOI_ID_IPV4_ADDR: +- printf(" len=%d %s", len, ipaddr_string(data)); ++ if (len < 4) ++ printf(" len=%d [bad: < 4]", len); ++ else ++ printf(" len=%d %s", len, ipaddr_string(data)); + len = 0; + break; + case IPSECDOI_ID_FQDN: +@@ -711,39 +743,58 @@ + case IPSECDOI_ID_IPV4_ADDR_SUBNET: + { + u_char *mask; +- mask = data + sizeof(struct in_addr); +- printf(" len=%d %s/%u.%u.%u.%u", len, +- ipaddr_string(data), +- mask[0], mask[1], mask[2], mask[3]); ++ if (len < 8) ++ printf(" len=%d [bad: < 8]", len); ++ else { ++ mask = data + sizeof(struct in_addr); ++ printf(" len=%d %s/%u.%u.%u.%u", len, ++ ipaddr_string(data), ++ mask[0], mask[1], mask[2], mask[3]); ++ } + len = 0; + break; + } + #ifdef INET6 + case IPSECDOI_ID_IPV6_ADDR: +- printf(" len=%d %s", len, ip6addr_string(data)); ++ if (len < 16) ++ printf(" len=%d [bad: < 16]", len); ++ else ++ printf(" len=%d %s", len, ip6addr_string(data)); + len = 0; + break; + case IPSECDOI_ID_IPV6_ADDR_SUBNET: + { + u_int32_t *mask; +- mask = (u_int32_t *)(data + sizeof(struct in6_addr)); +- /*XXX*/ +- printf(" len=%d %s/0x%08x%08x%08x%08x", len, +- ip6addr_string(data), +- mask[0], mask[1], mask[2], mask[3]); ++ if (len < 20) ++ printf(" len=%d [bad: < 20]", len); ++ else { ++ mask = (u_int32_t *)(data + sizeof(struct in6_addr)); ++ /*XXX*/ ++ printf(" len=%d %s/0x%08x%08x%08x%08x", len, ++ ip6addr_string(data), ++ mask[0], mask[1], mask[2], mask[3]); ++ } + len = 0; + break; + } + #endif /*INET6*/ + case IPSECDOI_ID_IPV4_ADDR_RANGE: +- printf(" len=%d %s-%s", len, ipaddr_string(data), +- ipaddr_string(data + sizeof(struct in_addr))); ++ if (len < 8) ++ printf(" len=%d [bad: < 8]", len); ++ else { ++ printf(" len=%d %s-%s", len, ipaddr_string(data), ++ ipaddr_string(data + sizeof(struct in_addr))); ++ } + len = 0; + break; + #ifdef INET6 + case IPSECDOI_ID_IPV6_ADDR_RANGE: +- printf(" len=%d %s-%s", len, ip6addr_string(data), +- ip6addr_string(data + sizeof(struct in6_addr))); ++ if (len < 32) ++ printf(" len=%d [bad: < 32]", len); ++ else { ++ printf(" len=%d %s-%s", len, ip6addr_string(data), ++ ip6addr_string(data + sizeof(struct in6_addr))); ++ } + len = 0; + break; + #endif /*INET6*/ +@@ -759,10 +810,14 @@ + printf(" len=%d", len); + if (2 < vflag) { + printf(" "); +- rawprint((caddr_t)data, len); ++ if (!rawprint((caddr_t)data, len)) ++ goto trunc; + } + } + return (u_char *)ext + ntohs(id.h.len); ++trunc: ++ printf(" [|%s]", NPSTR(ISAKMP_NPTYPE_ID)); ++ return NULL; + } + + static u_char * +@@ -779,14 +834,19 @@ + printf("%s:", NPSTR(ISAKMP_NPTYPE_CERT)); + + p = (struct isakmp_pl_cert *)ext; ++ TCHECK(*p); + safememcpy(&cert, ext, sizeof(cert)); + printf(" len=%d", ntohs(cert.h.len) - 4); + printf(" type=%s", STR_OR_ID((cert.encode), certstr)); + if (2 < vflag && 4 < ntohs(cert.h.len)) { + printf(" "); +- rawprint((caddr_t)(ext + 1), ntohs(cert.h.len) - 4); ++ if (!rawprint((caddr_t)(ext + 1), ntohs(cert.h.len) - 4)) ++ goto trunc; + } + return (u_char *)ext + ntohs(cert.h.len); ++trunc: ++ printf(" [|%s]", NPSTR(ISAKMP_NPTYPE_CERT)); ++ return NULL; + } + + static u_char * +@@ -803,14 +863,19 @@ + printf("%s:", NPSTR(ISAKMP_NPTYPE_CR)); + + p = (struct isakmp_pl_cert *)ext; ++ TCHECK(*p); + safememcpy(&cert, ext, sizeof(cert)); + printf(" len=%d", ntohs(cert.h.len) - 4); + printf(" type=%s", STR_OR_ID((cert.encode), certstr)); + if (2 < vflag && 4 < ntohs(cert.h.len)) { + printf(" "); +- rawprint((caddr_t)(ext + 1), ntohs(cert.h.len) - 4); ++ if (!rawprint((caddr_t)(ext + 1), ntohs(cert.h.len) - 4)) ++ goto trunc; + } + return (u_char *)ext + ntohs(cert.h.len); ++trunc: ++ printf(" [|%s]", NPSTR(ISAKMP_NPTYPE_CR)); ++ return NULL; + } + + static u_char * +@@ -821,13 +886,18 @@ + + printf("%s:", NPSTR(ISAKMP_NPTYPE_HASH)); + ++ TCHECK(*ext); + safememcpy(&e, ext, sizeof(e)); + printf(" len=%d", ntohs(e.len) - 4); + if (2 < vflag && 4 < ntohs(e.len)) { + printf(" "); +- rawprint((caddr_t)(ext + 1), ntohs(e.len) - 4); ++ if (!rawprint((caddr_t)(ext + 1), ntohs(e.len) - 4)) ++ goto trunc; + } + return (u_char *)ext + ntohs(e.len); ++trunc: ++ printf(" [|%s]", NPSTR(ISAKMP_NPTYPE_HASH)); ++ return NULL; + } + + static u_char * +@@ -838,13 +908,18 @@ + + printf("%s:", NPSTR(ISAKMP_NPTYPE_SIG)); + ++ TCHECK(*ext); + safememcpy(&e, ext, sizeof(e)); + printf(" len=%d", ntohs(e.len) - 4); + if (2 < vflag && 4 < ntohs(e.len)) { + printf(" "); +- rawprint((caddr_t)(ext + 1), ntohs(e.len) - 4); ++ if (!rawprint((caddr_t)(ext + 1), ntohs(e.len) - 4)) ++ goto trunc; + } + return (u_char *)ext + ntohs(e.len); ++trunc: ++ printf(" [|%s]", NPSTR(ISAKMP_NPTYPE_SIG)); ++ return NULL; + } + + static u_char * +@@ -855,13 +930,18 @@ + + printf("%s:", NPSTR(ISAKMP_NPTYPE_NONCE)); + ++ TCHECK(*ext); + safememcpy(&e, ext, sizeof(e)); + printf(" n len=%d", ntohs(e.len) - 4); + if (2 < vflag && 4 < ntohs(e.len)) { + printf(" "); +- rawprint((caddr_t)(ext + 1), ntohs(e.len) - 4); ++ if (!rawprint((caddr_t)(ext + 1), ntohs(e.len) - 4)) ++ goto trunc; + } + return (u_char *)ext + ntohs(e.len); ++trunc: ++ printf(" [|%s]", NPSTR(ISAKMP_NPTYPE_NONCE)); ++ return NULL; + } + + static u_char * +@@ -904,6 +984,7 @@ + printf("%s:", NPSTR(ISAKMP_NPTYPE_N)); + + p = (struct isakmp_pl_n *)ext; ++ TCHECK(*p); + safememcpy(&n, ext, sizeof(n)); + doi = ntohl(n.doi); + proto = n.prot_id; +@@ -913,7 +994,8 @@ + printf(" type=%s", NOTIFYSTR(ntohs(n.type))); + if (n.spi_size) { + printf(" spi="); +- rawprint((caddr_t)(p + 1), n.spi_size); ++ if (!rawprint((caddr_t)(p + 1), n.spi_size)) ++ goto trunc; + } + return (u_char *)(p + 1) + n.spi_size; + } +@@ -932,7 +1014,8 @@ + printf(" type=%s", NOTIFYSTR(ntohs(n.type))); + if (n.spi_size) { + printf(" spi="); +- rawprint((caddr_t)(p + 1), n.spi_size); ++ if (!rawprint((caddr_t)(p + 1), n.spi_size)) ++ goto trunc; + } + + cp = (u_char *)(p + 1) + n.spi_size; +@@ -969,6 +1052,9 @@ + printf(")"); + } + return (u_char *)ext + ntohs(n.h.len); ++trunc: ++ printf(" [|%s]", NPSTR(ISAKMP_NPTYPE_N)); ++ return NULL; + } + + static u_char * +@@ -984,6 +1070,7 @@ + printf("%s:", NPSTR(ISAKMP_NPTYPE_D)); + + p = (struct isakmp_pl_d *)ext; ++ TCHECK(*p); + safememcpy(&d, ext, sizeof(d)); + doi = ntohl(d.doi); + proto = d.prot_id; +@@ -1001,10 +1088,14 @@ + for (i = 0; i < ntohs(d.num_spi); i++) { + if (i != 0) + printf(","); +- rawprint((caddr_t)q, d.spi_size); ++ if (!rawprint((caddr_t)q, d.spi_size)) ++ goto trunc; + q += d.spi_size; + } + return q; ++trunc: ++ printf(" [|%s]", NPSTR(ISAKMP_NPTYPE_D)); ++ return NULL; + } + + static u_char * +@@ -1015,13 +1106,18 @@ + + printf("%s:", NPSTR(ISAKMP_NPTYPE_VID)); + ++ TCHECK(*ext); + safememcpy(&e, ext, sizeof(e)); + printf(" len=%d", ntohs(e.len) - 4); + if (2 < vflag && 4 < ntohs(e.len)) { + printf(" "); +- rawprint((caddr_t)(ext + 1), ntohs(e.len) - 4); ++ if (!rawprint((caddr_t)(ext + 1), ntohs(e.len) - 4)) ++ goto trunc; + } + return (u_char *)ext + ntohs(e.len); ++trunc: ++ printf(" [|%s]", NPSTR(ISAKMP_NPTYPE_VID)); ++ return NULL; + } + + static u_char * +@@ -1033,6 +1129,7 @@ + u_int item_len; + + cp = (u_char *)ext; ++ TCHECK(*ext); + safememcpy(&e, ext, sizeof(e)); + + /* +@@ -1056,6 +1153,9 @@ + cp += item_len; + } + return cp; ++trunc: ++ printf(" [|isakmp]"); ++ return NULL; + } + + static u_char * +@@ -1069,15 +1169,12 @@ + cp = (u_char *)ext; + + while (np) { +- TCHECK2(*ext, sizeof(e)); ++ TCHECK(*ext); + + safememcpy(&e, ext, sizeof(e)); + +- if (ep < (u_char *)ext + ntohs(e.len)) { +- printf(" [|%s]", NPSTR(np)); +- cp = ep + 1; +- break; +- } ++ TCHECK2(*ext, ntohs(e.len)); ++ + depth++; + printf("\n"); + for (i = 0; i < depth; i++) +@@ -1097,6 +1194,7 @@ + } + return cp; + trunc: ++ printf(" [|%s]", NPSTR(np)); + return NULL; + } + @@ . patch -p0 <<'@@ .' Index: openpkg-src/tcpdump/tcpdump.spec ============================================================================ $ cvs diff -u -r1.25.2.3.2.2 -r1.25.2.3.2.3 tcpdump.spec --- openpkg-src/tcpdump/tcpdump.spec 16 Jan 2004 12:38:59 -0000 1.25.2.3.2.2 +++ openpkg-src/tcpdump/tcpdump.spec 7 Apr 2004 15:44:02 -0000 1.25.2.3.2.3 @@ -33,7 +33,7 @@ Group: Network License: GPL Version: 3.7.2 -Release: 1.3.1 +Release: 1.3.2 # list of sources Source0: http://www.tcpdump.org/release/tcpdump-%{version}.tar.gz @@ . ______________________________________________________________________ The OpenPKG Project www.openpkg.org CVS Repository Commit List [EMAIL PROTECTED]