package/network/utils/tcpdump/patches/101-CVE-2020-8037.patch

   1 --- a/print-ppp.c
   2 +++ b/print-ppp.c
   3 @@ -1368,19 +1368,29 @@ trunc:
   4  }
   5
   6  #ifndef TCPDUMP_MINI
   7 +/*
   8 + * Un-escape RFC 1662 PPP in HDLC-like framing, with octet escapes.
   9 + * The length argument is the on-the-wire length, not the captured
  10 + * length; we can only un-escape the captured part.
  11 + */
  12  static void
  13  ppp_hdlc(netdissect_options *ndo,
  14           const u_char *p, int length)
  15  {
  16 +       u_int caplen = ndo->ndo_snapend - p;
  17         u_char *b, *t, c;
  18         const u_char *s;
  19 -       int i, proto;
  20 +       u_int i;
  21 +       int proto;
  22         const void *se;
  23
  24 +       if (caplen == 0)
  25 +               return;
  26 +
  27          if (length <= 0)
  28                  return;
  29
  30 -       b = (u_char *)malloc(length);
  31 +       b = (u_char *)malloc(caplen);
  32         if (b == NULL)
  33                 return;
  34
  35 @@ -1389,10 +1399,10 @@ ppp_hdlc(netdissect_options *ndo,
  36          * Do this so that we dont overwrite the original packet
  37          * contents.
  38          */
  39 -       for (s = p, t = b, i = length; i > 0 && ND_TTEST(*s); i--) {
  40 +       for (s = p, t = b, i = caplen; i != 0; i--) {
  41                 c = *s++;
  42                 if (c == 0x7d) {
  43 -                       if (i <= 1 || !ND_TTEST(*s))
  44 +                       if (i <= 1)
  45                                 break;
  46                         i--;
  47                         c = *s++ ^ 0x20;