Headline
CVE-2018-14879: (for 4.9.3) CVE-2018-14879/fix -V to fail invalid input safely · the-tcpdump-group/tcpdump@9ba9138
The command-line argument parser in tcpdump before 4.9.3 has a buffer overflow in tcpdump.c:get_next_file().
Commit
Permalink
Browse files
Browse the repository at this point in the history
(for 4.9.3) CVE-2018-14879/fix -V to fail invalid input safely
get_next_file() did not check the return value of strlen() and underflowed an array index if the line read by fgets() from the file started with \0. This caused an out-of-bounds read and could cause a write. Add the missing check.
This vulnerability was discovered by Brian Carpenter & Geeknik Labs.
- Loading branch information
Showing 1 changed file with 4 additions and 2 deletions.
6 changes: 4 additions & 2 deletions tcpdump.c
Expand Up
@@ -699,13 +699,15 @@ static char *
get_next_file(FILE *VFile, char *ptr)
{
char *ret;
size_t len;
ret = fgets(ptr, PATH_MAX, VFile);
if (!ret)
return NULL;
if (ptr[strlen(ptr) - 1] == ‘\n’)
ptr[strlen(ptr) - 1] = '\0’;
len = strlen (ptr);
if (len > 0 && ptr[len - 1] == ‘\n’)
ptr[len - 1] = '\0’;
return ret;
}
Expand Down
0 comments on commit 9ba9138
Please sign in to comment.