1
0

101-CVE-2020-8037.patch 1.0 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647
  1. --- a/print-ppp.c
  2. +++ b/print-ppp.c
  3. @@ -1368,19 +1368,29 @@ trunc:
  4. }
  5. #ifndef TCPDUMP_MINI
  6. +/*
  7. + * Un-escape RFC 1662 PPP in HDLC-like framing, with octet escapes.
  8. + * The length argument is the on-the-wire length, not the captured
  9. + * length; we can only un-escape the captured part.
  10. + */
  11. static void
  12. ppp_hdlc(netdissect_options *ndo,
  13. const u_char *p, int length)
  14. {
  15. + u_int caplen = ndo->ndo_snapend - p;
  16. u_char *b, *t, c;
  17. const u_char *s;
  18. - int i, proto;
  19. + u_int i;
  20. + int proto;
  21. const void *se;
  22. + if (caplen == 0)
  23. + return;
  24. +
  25. if (length <= 0)
  26. return;
  27. - b = (u_char *)malloc(length);
  28. + b = (u_char *)malloc(caplen);
  29. if (b == NULL)
  30. return;
  31. @@ -1389,10 +1399,10 @@ ppp_hdlc(netdissect_options *ndo,
  32. * Do this so that we dont overwrite the original packet
  33. * contents.
  34. */
  35. - for (s = p, t = b, i = length; i > 0 && ND_TTEST(*s); i--) {
  36. + for (s = p, t = b, i = caplen; i != 0; i--) {
  37. c = *s++;
  38. if (c == 0x7d) {
  39. - if (i <= 1 || !ND_TTEST(*s))
  40. + if (i <= 1)
  41. break;
  42. i--;
  43. c = *s++ ^ 0x20;