From 98dbf64c62124b8826e15aa22c72f08346964cd9 Mon Sep 17 00:00:00 2001
From: Peter Avalos <pavalos@dragonflybsd.org>
Date: Wed, 1 Aug 2007 22:24:34 +0000
Subject: [PATCH] Fix for CVE-2007-3798 obtained from the vendor.  This is
 already included in a newer version of tcpdump.

---
 usr.sbin/tcpdump/tcpdump/Makefile          |  3 +-
 usr.sbin/tcpdump/tcpdump/print-bgp.c.patch | 91 ++++++++++++++++++++++++++++++
 2 files changed, 93 insertions(+), 1 deletion(-)
 create mode 100644 usr.sbin/tcpdump/tcpdump/print-bgp.c.patch

diff --git a/usr.sbin/tcpdump/tcpdump/Makefile b/usr.sbin/tcpdump/tcpdump/Makefile
index 6ab5c7aae7..7b96fa29b7 100644
--- a/usr.sbin/tcpdump/tcpdump/Makefile
+++ b/usr.sbin/tcpdump/tcpdump/Makefile
@@ -1,5 +1,5 @@
 # $FreeBSD: src/usr.sbin/tcpdump/tcpdump/Makefile,v 1.25.2.6 2002/07/05 11:30:32 fenner Exp $
-# $DragonFly: src/usr.sbin/tcpdump/tcpdump/Makefile,v 1.9 2007/03/16 13:18:13 sephe Exp $
+# $DragonFly: src/usr.sbin/tcpdump/tcpdump/Makefile,v 1.10 2007/08/01 22:24:34 pavalos Exp $
 
 
 TCPDUMP_DISTDIR?= ${.CURDIR}/../../../contrib/tcpdump-3.9
@@ -46,6 +46,7 @@ SRCS+=	print-ip6.c print-ip6opts.c print-mobility.c \
 
 CONTRIBDIR= ${TCPDUMP_DISTDIR}
 SRCS+=  print-ospf6.c.patch print-802_11.c.patch tcpdump.1.no_obj.patch
+SRCS+=	print-bgp.c.patch
 CFLAGS+=	-DINET6
 .endif
 .if ${MACHINE_ARCH} != "i386"
diff --git a/usr.sbin/tcpdump/tcpdump/print-bgp.c.patch b/usr.sbin/tcpdump/tcpdump/print-bgp.c.patch
new file mode 100644
index 0000000000..d31d9868a3
--- /dev/null
+++ b/usr.sbin/tcpdump/tcpdump/print-bgp.c.patch
@@ -0,0 +1,91 @@
+$DragonFly: src/usr.sbin/tcpdump/tcpdump/Attic/print-bgp.c.patch,v 1.1 2007/08/01 22:24:34 pavalos Exp $
+
+Index: print-bgp.c
+===================================================================
+RCS file: /home/dcvs/src/contrib/tcpdump-3.9/print-bgp.c,v
+retrieving revision 1.1.1.1
+diff -u -r1.1.1.1 print-bgp.c
+--- print-bgp.c	25 Dec 2006 00:17:39 -0000	1.1.1.1
++++ print-bgp.c	1 Aug 2007 21:57:48 -0000
+@@ -650,6 +650,26 @@
+ 	return -2;
+ }
+ 
++/*
++ * As I remember, some versions of systems have an snprintf() that
++ * returns -1 if the buffer would have overflowed.  If the return
++ * value is negative, set buflen to 0, to indicate that we've filled
++ * the buffer up.
++ *
++ * If the return value is greater than buflen, that means that
++ * the buffer would have overflowed; again, set buflen to 0 in
++ * that case.
++ */
++#define UPDATE_BUF_BUFLEN(buf, buflen, strlen) \
++    if (strlen<0) \
++       	buflen=0; \
++    else if ((u_int)strlen>buflen) \
++        buflen=0; \
++    else { \
++        buflen-=strlen; \
++	buf+=strlen; \
++    }
++
+ static int
+ decode_labeled_vpn_l2(const u_char *pptr, char *buf, u_int buflen)
+ {
+@@ -660,11 +680,13 @@
+         tlen=plen;
+         pptr+=2;
+ 	TCHECK2(pptr[0],15);
++	buf[0]='\0';
+         strlen=snprintf(buf, buflen, "RD: %s, CE-ID: %u, Label-Block Offset: %u, Label Base %u",
+                         bgp_vpn_rd_print(pptr),
+                         EXTRACT_16BITS(pptr+8),
+                         EXTRACT_16BITS(pptr+10),
+                         EXTRACT_24BITS(pptr+12)>>4); /* the label is offsetted by 4 bits so lets shift it right */
++        UPDATE_BUF_BUFLEN(buf, buflen, strlen);
+         pptr+=15;
+         tlen-=15;
+ 
+@@ -680,23 +702,32 @@
+ 
+             switch(tlv_type) {
+             case 1:
+-                strlen+=snprintf(buf+strlen,buflen-strlen, "\n\t\tcircuit status vector (%u) length: %u: 0x",
+-                                 tlv_type,
+-                                 tlv_len);
++                if (buflen!=0) {
++                    strlen=snprintf(buf,buflen, "\n\t\tcircuit status vector (%u) length: %u: 0x",
++                                    tlv_type,
++                                    tlv_len);
++                    UPDATE_BUF_BUFLEN(buf, buflen, strlen);
++                }
+                 ttlv_len=ttlv_len/8+1; /* how many bytes do we need to read ? */
+                 while (ttlv_len>0) {
+                     TCHECK(pptr[0]);
+-                    strlen+=snprintf(buf+strlen,buflen-strlen, "%02x",*pptr++);
++                    if (buflen!=0) {
++                        strlen=snprintf(buf,buflen, "%02x",*pptr++);
++                        UPDATE_BUF_BUFLEN(buf, buflen, strlen);
++                    }
+                     ttlv_len--;
+                 }
+                 break;
+             default:
+-                snprintf(buf+strlen,buflen-strlen, "\n\t\tunknown TLV #%u, length: %u",
+-                         tlv_type,
+-                         tlv_len);
++                if (buflen!=0) {
++                    strlen=snprintf(buf,buflen, "\n\t\tunknown TLV #%u, length: %u",
++                                    tlv_type,
++                                    tlv_len);
++                    UPDATE_BUF_BUFLEN(buf, buflen, strlen);
++                }
+                 break;
+             }
+-            tlen-=(tlv_len<<3); /* the tlv-length is expressed in bits so lets shift it tright */
++            tlen-=(tlv_len<<3); /* the tlv-length is expressed in bits so lets shift it right */
+         }
+         return plen+2;
+ 
-- 
2.11.4.GIT