Skip to content
Permalink
Browse files Browse the repository at this point in the history
(for 4.9.3) CVE-2018-14879/fix -V to fail invalid input safely
get_next_file() did not check the return value of strlen() and
underflowed an array index if the line read by fgets() from the file
started with \0. This caused an out-of-bounds read and could cause a
write. Add the missing check.

This vulnerability was discovered by Brian Carpenter & Geeknik Labs.
  • Loading branch information
infrastation authored and fxlb committed Aug 27, 2019
1 parent d750527 commit 9ba9138
Showing 1 changed file with 4 additions and 2 deletions.
6 changes: 4 additions & 2 deletions tcpdump.c
Expand Up @@ -699,13 +699,15 @@ static char *
get_next_file(FILE *VFile, char *ptr)
{
char *ret;
size_t len;

ret = fgets(ptr, PATH_MAX, VFile);
if (!ret)
return NULL;

if (ptr[strlen(ptr) - 1] == '\n')
ptr[strlen(ptr) - 1] = '\0';
len = strlen (ptr);
if (len > 0 && ptr[len - 1] == '\n')
ptr[len - 1] = '\0';

return ret;
}
Expand Down

0 comments on commit 9ba9138

Please sign in to comment.