Re: Seg fault of tcpdump (v 3.8.1 and below) with malformed l2tp packets

[Guy Harris <guy () alum mit edu>]

On Wed, Dec 24, 2003 at 10:20:44AM -0500, MH wrote:
> The issue is with the way the l2tp_avp_print() and print_octets() functions in 
> file print-l2tp.c handle input.  In particular it seems this is in its handling of a bad 
> length value.  Even if the control message packet does not specify a length 
> option (violation of RFC 2661) tcpdump will still try to interpret the  length field 
> instead of  raising an error/shunning due to this malformed packet.  The seg fault 
> occurs when l2tp_avp_print() passes a bad length argument to print_octets() and sends 
> it looping until it segfaults.

I've checked into the main and x.8 branches changes to check, at the
beginning of "l2tp_avp_print()", that

        1) "len" is >= 6;

        2) "len" is <= length;

and, if either of those are false, to quit dissecting and report
truncation.

Those should fix the problem - check them with the current CVS version
of tcpdump (or the next "current tar files" that come out, with version
1.17 or later of print-l2tp.c).
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe