Remote crash in tcpdump from OpenBSD

[Przemyslaw Frasunek <venglin () freebsd lublin pl>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



- -------- Original Message --------
Subject: user/3610: repetable tcpdump remote crash
Resent-Date: Sat, 20 Dec 2003 08:55:02 -0700 (MST)
Resent-From: gnats () cvs openbsd org (GNATS Filer)
Resent-To: bugs () cvs openbsd org
Date: Sat, 20 Dec 2003 16:42:25 +0100 (CET)
From: venglin () freebsd lublin pl
Reply-To: venglin () freebsd lublin pl
To: gnats () openbsd org

> Number:         3610
> Category:       user
> Synopsis:       repetable tcpdump remote crash
> Confidential:   yes
> Severity:       critical
> Priority:       high
> Responsible:    bugs
> State:          open
> Quarter:
> Keywords:
> Date-Required:
> Class:          sw-bug
> Submitter-Id:   net
> Arrival-Date:   Sat Dec 20 15:50:02 GMT 2003
> Closed-Date:
> Last-Modified:
> Originator:     Przemyslaw Frasunek
> Release:        3.3-RELEASE
> Organization:
net
> Environment:
        System      : OpenBSD 3.3
        Architecture: OpenBSD.i386
        Machine     : i386
> Description:
        Sending a packet containg 0xff,0x02 bytes to port 1701/udp causes
        a L2TP protocol parser in tcpdump to enter an infinite loop, eating
        all available memory and then segfaulting.

        This bug also affects tcpdump in -CURRENT.
> How-To-Repeat:
        tcpdump -i lo0 -n udp and dst port 1701 &
        perl -e 'print "\xff\x02"' | nc -u localhost 1701
> Fix:
        Unknown, recent versions of tcpdump are immune to this problem.


> Release-Note:
> Audit-Trail:
> Unformatted:


- --
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NICHDL: PMF9-RIPE *
* JID: venglin () jabber atman pl ** PGP ID: 2578FCAD ** HAM-RADIO: SQ8JIV *
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/5HfykxEnBiV4/K0RApAkAKDMw3qheVAkGu3v2EvoCoq07C8ZYgCgh9sl
ZjwiNzK9di8oSMQ1XK/YF+g=
=Q0AT
-----END PGP SIGNATURE-----