- Update to nb1 for security issues

- Patches from tcpdump.org CVS tree

4 files changed, 74 insertions, 0 deletions

diff --git a/net/tcpdump/patches/patch-ac b/net/tcpdump/patches/patch-ac
new file mode 100644
index 00000000000..1765e75e9e2
--- /dev/null
+++ b/net/tcpdump/patches/patch-ac
@@ -0,0 +1,13 @@
+$NetBSD: patch-ac,v 1.1 2005/05/28 14:15:23 adrianp Exp $
+
+--- print-bgp.c.orig	2005-05-06 09:08:17.000000000 +0100
++++ print-bgp.c
+@@ -1216,6 +1216,8 @@ bgp_attr_print(const struct bgp_attr *at
+                             tptr = pptr + len;
+                             break;
+ 			}
++			if (advance < 0) /* infinite loop protection */
++				break;
+ 			tptr += advance;
+ 		}
+ 		break;
diff --git a/net/tcpdump/patches/patch-ad b/net/tcpdump/patches/patch-ad
new file mode 100644
index 00000000000..acc19ca4364
--- /dev/null
+++ b/net/tcpdump/patches/patch-ad
@@ -0,0 +1,23 @@
+$NetBSD: patch-ad,v 1.1 2005/05/28 14:15:23 adrianp Exp $
+
+--- print-isoclns.c.orig	2005-05-06 09:11:15.000000000 +0100
++++ print-isoclns.c
+@@ -1506,6 +1506,9 @@ static int isis_print (const u_int8_t *p
+                tlv_type,
+                tlv_len);
+ 
++	if (tlv_len == 0) /* something is malformed */
++		break;
++
+         /* now check if we have a decoder otherwise do a hexdump at the end*/
+ 	switch (tlv_type) {
+ 	case TLV_AREA_ADDR:
+@@ -1536,7 +1539,7 @@ static int isis_print (const u_int8_t *p
+ 	    break;
+ 
+         case TLV_ISNEIGH_VARLEN:
+-            if (!TTEST2(*tptr, 1))
++            if (!TTEST2(*tptr, 1) || tmp < 3) /* min. TLV length */
+ 		goto trunctlv;
+ 	    lan_alen = *tptr++; /* LAN adress length */
+             tmp --;
diff --git a/net/tcpdump/patches/patch-ae b/net/tcpdump/patches/patch-ae
new file mode 100644
index 00000000000..2087889ff04
--- /dev/null
+++ b/net/tcpdump/patches/patch-ae
@@ -0,0 +1,14 @@
+$NetBSD: patch-ae,v 1.1 2005/05/28 14:15:23 adrianp Exp $
+
+--- print-ldp.c.orig	2005-05-06 09:17:24.000000000 +0100
++++ print-ldp.c
+@@ -326,6 +326,9 @@ ldp_print(register const u_char *pptr, r
+                EXTRACT_32BITS(&ldp_msg_header->id),
+                LDP_MASK_U_BIT(EXTRACT_16BITS(&ldp_msg_header->type)) ? "continue processing" : "ignore");
+ 
++	if (msg_len == 0) /* infinite loop protection */
++		break;
++
+         msg_tptr=tptr+sizeof(struct ldp_msg_header);
+         msg_tlen=msg_len-sizeof(struct ldp_msg_header)+4; /* Type & Length fields not included */
+ 
diff --git a/net/tcpdump/patches/patch-af b/net/tcpdump/patches/patch-af
new file mode 100644
index 00000000000..b1ebead6b4f
--- /dev/null
+++ b/net/tcpdump/patches/patch-af
@@ -0,0 +1,24 @@
+$NetBSD: patch-af,v 1.1 2005/05/28 14:15:23 adrianp Exp $
+
+--- print-rsvp.c.orig	2004-03-24 04:01:08.000000000 +0000
++++ print-rsvp.c
+@@ -875,10 +875,17 @@ rsvp_print(register const u_char *pptr, 
+             switch(rsvp_obj_ctype) {
+             case RSVP_CTYPE_IPV4:
+                 while(obj_tlen >= 4 ) {
+-                    printf("\n\t    Subobject Type: %s",
++                    printf("\n\t    Subobject Type: %s, length %u",
+                            tok2str(rsvp_obj_xro_values,
+                                    "Unknown %u",
+-                                   RSVP_OBJ_XRO_MASK_SUBOBJ(*obj_tptr)));                
++                                   RSVP_OBJ_XRO_MASK_SUBOBJ(*obj_tptr)),
++                           *(obj_tptr+1));                
++
++                    if (*(obj_tptr+1) == 0) { /* prevent infinite loops */
++                        printf("\n\t      ERROR: zero length ERO subtype");
++                        break;
++                    }
++
+                     switch(RSVP_OBJ_XRO_MASK_SUBOBJ(*obj_tptr)) {
+                     case RSVP_OBJ_XRO_IPV4:
+                         printf(", %s, %s/%u, Flags: [%s]",