Security fix for CVE-2005-3651:

"Remote exploitation of an input validation vulnerability in the OSPF
protocol dissectors within Ethereal, as included in various vendors
operating system distributions, could allow attackers to crash the
vulnerable process or potentially execute arbitrary code."

http://www.idefense.com/application/poi/display?id=349&type=vulnerabilities

Patch from the Ethereal SVN repository.

3 files changed, 68 insertions, 3 deletions

diff --git a/net/ethereal/Makefile b/net/ethereal/Makefile
index 1e4f01dbe90..0393dc5a6f6 100644
--- a/net/ethereal/Makefile
+++ b/net/ethereal/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.120 2005/12/05 23:55:13 rillig Exp $
+# $NetBSD: Makefile,v 1.121 2005/12/10 21:55:35 salo Exp $
 
 DISTNAME=		ethereal-0.10.13
-PKGREVISION=		1
+PKGREVISION=		2
 CATEGORIES=		net
 MASTER_SITES=		http://www.ethereal.com/distribution/ \
 			http://ethereal.planetmirror.com/distribution/ \
diff --git a/net/ethereal/distinfo b/net/ethereal/distinfo
index 00186c8791d..12c56f54b4c 100644
--- a/net/ethereal/distinfo
+++ b/net/ethereal/distinfo
@@ -1,7 +1,8 @@
-$NetBSD: distinfo,v 1.45 2005/11/01 20:28:56 frueauf Exp $
+$NetBSD: distinfo,v 1.46 2005/12/10 21:55:35 salo Exp $
 
 SHA1 (ethereal-0.10.13.tar.bz2) = 4ed2014a1ede6bdb05fbe99b0469a030c7794a13
 RMD160 (ethereal-0.10.13.tar.bz2) = 54f6431ac2d807e0d7dd896af71463d340c66107
 Size (ethereal-0.10.13.tar.bz2) = 8029087 bytes
 SHA1 (patch-aa) = 0513b971c0af032fc64fc181fbd64d78aef0d044
 SHA1 (patch-ab) = bfbefb0ae66607068e21d0912a15a72606ab8ea8
+SHA1 (patch-ac) = 101cbc6315b2ad9732b70d697295ad8e4a389dcd
diff --git a/net/ethereal/patches/patch-ac b/net/ethereal/patches/patch-ac
new file mode 100644
index 00000000000..ecf0e1b9514
--- /dev/null
+++ b/net/ethereal/patches/patch-ac
@@ -0,0 +1,64 @@
+$NetBSD: patch-ac,v 1.5 2005/12/10 21:55:35 salo Exp $
+
+Security fix for CVE-2005-3651, from Ethereal SVN tree.
+
+--- epan/dissectors/packet-ospf.c.orig	2005-10-10 15:23:02.000000000 +0200
++++ epan/dissectors/packet-ospf.c	2005-12-10 21:40:23.000000000 +0100
+@@ -2321,39 +2321,28 @@
+ static void dissect_ospf_v3_address_prefix(tvbuff_t *tvb, int offset, int prefix_length, proto_tree *tree)
+ {
+ 
+-    guint8 value;
+-    guint8 position;
+-    guint8 bufpos;
+-    gchar  *buffer;
+-    gchar  *bytebuf;
+-    guint8 bytes_to_process;
+-    int start_offset;
+-
+-    start_offset=offset;
+-    position=0;
+-    bufpos=0;
+-    bytes_to_process=((prefix_length+31)/32)*4;
+-
+-    buffer=ep_alloc(32+7);
+-    while (bytes_to_process > 0 ) {
+-
+-        value=tvb_get_guint8(tvb, offset);
++    int bytes_to_process;
++    struct e_in6_addr prefix;
+ 
+-        if ( (position > 0) && ( (position%2) == 0 ) )
+-	    buffer[bufpos++]=':';
++    bytes_to_process=((prefix_length+31)/32)*4;
+ 
+-	bytebuf=ep_alloc(3);
+-        g_snprintf(bytebuf, 3, "%02x",value);
+-        buffer[bufpos++]=bytebuf[0];
+-        buffer[bufpos++]=bytebuf[1];
+-
+-	position++;
+-	offset++;
+-        bytes_to_process--;
++    if (prefix_length > 128) {
++        proto_tree_add_text(tree, tvb, offset, bytes_to_process,
++            "Address Prefix: length is invalid (%d, should be <= 128)",
++            prefix_length);
++        return;
+     }
+ 
+-    buffer[bufpos]=0;
+-    proto_tree_add_text(tree, tvb, start_offset, ((prefix_length+31)/32)*4, "Address Prefix: %s",buffer);
++    memset(prefix.bytes, 0, sizeof prefix.bytes);
++    if (bytes_to_process != 0) {
++        tvb_memcpy(tvb, prefix.bytes, offset, bytes_to_process);
++        if (prefix_length % 8) {
++            prefix.bytes[bytes_to_process - 1] &=
++                ((0xff00 >> (prefix_length % 8)) & 0xff);
++        }
++    }
++    proto_tree_add_text(tree, tvb, offset, bytes_to_process,
++        "Address Prefix: %s", ip6_to_str(&prefix));
+ 
+ }
+