Skip to content

Commit 9ba9138

Browse files
infrastationfxlb
authored andcommitted
(for 4.9.3) CVE-2018-14879/fix -V to fail invalid input safely
get_next_file() did not check the return value of strlen() and underflowed an array index if the line read by fgets() from the file started with \0. This caused an out-of-bounds read and could cause a write. Add the missing check. This vulnerability was discovered by Brian Carpenter & Geeknik Labs.
1 parent d750527 commit 9ba9138

File tree

1 file changed

+4
-2
lines changed

1 file changed

+4
-2
lines changed

Diff for: tcpdump.c

+4-2
Original file line numberDiff line numberDiff line change
@@ -699,13 +699,15 @@ static char *
699699
get_next_file(FILE *VFile, char *ptr)
700700
{
701701
char *ret;
702+
size_t len;
702703

703704
ret = fgets(ptr, PATH_MAX, VFile);
704705
if (!ret)
705706
return NULL;
706707

707-
if (ptr[strlen(ptr) - 1] == '\n')
708-
ptr[strlen(ptr) - 1] = '\0';
708+
len = strlen (ptr);
709+
if (len > 0 && ptr[len - 1] == '\n')
710+
ptr[len - 1] = '\0';
709711

710712
return ret;
711713
}

0 commit comments

Comments
 (0)