From 2ce9e4d7ad6def2a8e962bdf2b90633e396dd9cf Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Wed, 25 Mar 2015 16:48:48 +0100
Subject: [PATCH 3/4] Fix for CVE-2015-2154
(cherry picked from commit 1a4e86d0a273cc81b3236d9f8a5f47b586fec84c)
See: http://www.ca.tcpdump.org/cve/0002-test-case-files-for-CVE-2015-2153-2154-2155.patch
---
print-isoclns.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/print-isoclns.c b/print-isoclns.c
index 8552d02..f870dce 100644
--- a/print-isoclns.c
+++ b/print-isoclns.c
@@ -3092,9 +3092,15 @@ osi_print_cksum (const u_int8_t *pptr, u_int16_t checksum,
u_int checksum_offset, u_int length)
{
u_int16_t calculated_checksum;
-
- /* do not attempt to verify the checksum if it is zero */
- if (!checksum) {
+ /* do not attempt to verify the checksum if it is zero,
+ * if the total length is nonsense,
+ * if the offset is nonsense,
+ * or the base pointer is not sane
+ */
+ if (!checksum
+ || length > snaplen
+ || checksum_offset > snaplen
+ || checksum_offset > length) {
printf("(unverified)");
} else {
calculated_checksum = create_osi_cksum(pptr, checksum_offset, length);
--
2.3.4