|author||Jacques Vidrine <nectar@FreeBSD.org>||2002-07-12 13:31:44 +0000|
|committer||Jacques Vidrine <nectar@FreeBSD.org>||2002-07-12 13:31:44 +0000|
MFC 1.6: Correct a buffer overflow when handling malformed NFS
Notes: svn path=/releng/4.4/; revision=99870
2 files changed, 13 insertions, 2 deletions
@@ -18,6 +18,9 @@ minimal number of processes, if possible, for that patch. For those
updates that don't have an advisory, or to be safe, you can do a full
build and install as described in the COMMON ITEMS section.
+20020712: p15 FreeBSD-SA-02:29.tcpdump
+ A buffer overflow in tcpdump has been corrected.
20020711: p15 FreeBSD-SA-02:30.ktrace
Prevent users from tracing previously privileged processes.
diff --git a/contrib/tcpdump/interface.h b/contrib/tcpdump/interface.h
index 2459764d7b69..af069cb2f2dc 100644
@@ -132,8 +132,16 @@ extern int snaplen;
extern const u_char *packetp;
extern const u_char *snapend;
-/* True if "l" bytes of "var" were captured */
-#define TTEST2(var, l) ((u_char *)&(var) <= snapend - (l))
+ * True if "l" bytes of "var" were captured.
+ * The "snapend - (l) <= snapend" checks to make sure "l" isn't so large
+ * that "snapend - (l)" underflows.
+ * The check is for <= rather than < because "l" might be 0.
+#define TTEST2(var, l) (snapend - (l) <= snapend && \
+ (const u_char *)&(var) <= snapend - (l))
/* True if "var" was captured */
#define TTEST(var) TTEST2(var, sizeof(var))