Re: Official patches for CVE-2014-8767/CVE-2014-8768/CVE-2014-8769?

[Guy Harris <guy () alum mit edu>]

On Nov 21, 2014, at 2:01 PM, Romain Francoise <rfrancoise () debian org> wrote:

> Ok, the fixes still aren't on master, but now there's a tcpdump-4.7
> branch with the commits I need.
>
> So I apparently need all of these?
>
> 3f5693a 10 days ago Guy Harris Report a too-long unreachable destination list.
> 54d2912 10 days ago Guy Harris Not using offsetof() any more, so no need for <stddef.h>.
> e302ff0 10 days ago Guy Harris Further cleanups.
> 3e8a443 10 days ago Guy Harris Clean up error message printing.
> ab4e52b 10 days ago Guy Harris Add initial bounds check, get rid of union aodv.
> 4038f83 10 days ago Guy Harris Do more bounds checking and length checking.
> 9255c9b 10 days ago Guy Harris Do bounds checking and length checking.
>
> print-aodv.c   | 481 ++++++++++++++++++++++++++-------------------------------
> print-geonet.c | 270 ++++++++++++++++++--------------
> print-olsr.c   |  56 +++++--
> 3 files changed, 417 insertions(+), 390 deletions(-)

Yes.

> That's a lot bigger than typical security patches. :(

So it goes.  You can tweak the code the minimum amount to cope with the problem as demonstrated by sample captures, or 
you can audit the whole damn thing to see what other problems might be lurking there, and sometimes that involves 
cleaning up the code to make it a bit more obvious what {ND_}TCHECK*/{ND_}TTEST* checks need to be added.

_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers