Bugtraq mailing list archives
Re: Remote crash in tcpdump from OpenBSD
From: <mrh_tech () yahoo com>
Date: 21 Dec 2003 17:48:37 -0000
In-Reply-To: <3FE4CAC1.8010306 () freebsd lublin pl> When an l2tp control packet is sent with optional bits set but containing invalid data, l2tp_avp_print() is passed this bad data. Then, l2tp_avp_print() calls itself and continues an infinite loop of passing bad data to itself. I had the consistent results sending: \x82 (control+length bits) \0x02 (version) then 10 bytes of zeros. This is in print-l2tp.c Lines: ~566-616 After commenting out (breaking the infinite loop): ~609: l2tp_avp_print(dat + len, length - len); I was no longer able to crash tcpdump. Obviously, properly validating the input is the real solution. Tested on: OpenBSD 3.3 and 3.4 tcpdump: 3.4.0 libpcap" 0.5 Thanks, Mike
Current thread:
- Remote crash in tcpdump from OpenBSD Przemyslaw Frasunek (Dec 20)
- Re: Remote crash in tcpdump from OpenBSD Henning Brauer (Dec 20)
- Re: Remote crash in tcpdump from OpenBSD Przemyslaw Frasunek (Dec 20)
- <Possible follow-ups>
- Re: Remote crash in tcpdump from OpenBSD mrh_tech (Dec 22)
- Re: Remote crash in tcpdump from OpenBSD Henning Brauer (Dec 20)