1 files changed, 47 insertions, 0 deletions

diff --git a/gnu/packages/patches/tcpdump-CVE-2017-11541.patch b/gnu/packages/patches/tcpdump-CVE-2017-11541.patch
new file mode 100644
index 0000000000..a9fc632dc2
--- /dev/null
+++ b/gnu/packages/patches/tcpdump-CVE-2017-11541.patch
@@ -0,0 +1,47 @@
+Fix CVE-2017-11541
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11541
+
+Patch copied from upstream source repository:
+
+https://github.com/the-tcpdump-group/tcpdump/commit/21d702a136c5c16882e368af7c173df728242280
+
+From 21d702a136c5c16882e368af7c173df728242280 Mon Sep 17 00:00:00 2001
+From: Guy Harris <guy@alum.mit.edu>
+Date: Tue, 7 Feb 2017 11:40:36 -0800
+Subject: [PATCH] CVE-2017-11541: In safeputs(), check the length before
+ checking for a NUL terminator.
+
+safeputs() doesn't do packet bounds checking of its own; it assumes that
+the caller has checked the availability in the packet data of all maxlen
+bytes of data.  This means we should check that we're within the
+specified limit before looking at the byte.
+
+This fixes a buffer over-read discovered by Kamil Frankowicz.
+
+Add a test using the capture file supplied by the reporter(s).
+---
+ tests/TESTLIST            |   1 +
+ tests/hoobr_safeputs.out  |   2 ++
+ tests/hoobr_safeputs.pcap | Bin 0 -> 88 bytes
+ util-print.c              |   2 +-
+ 4 files changed, 4 insertions(+), 1 deletion(-)
+ create mode 100644 tests/hoobr_safeputs.out
+ create mode 100644 tests/hoobr_safeputs.pcap
+
+diff --git a/util-print.c b/util-print.c
+index 394e7d59..ec3e8de8 100644
+--- a/util-print.c
++++ b/util-print.c
+@@ -904,7 +904,7 @@ safeputs(netdissect_options *ndo,
+ {
+ 	u_int idx = 0;
+ 
+-	while (*s && idx < maxlen) {
++	while (idx < maxlen && *s) {
+ 		safeputchar(ndo, *s);
+ 		idx++;
+ 		s++;
+-- 
+2.14.1
+