Threat level definition
Search:
Home
Bugtraq
Vulnerabilities
Mailing Lists
Jobs
Tools
Beta Programs
News
Infocus
Foundations
Microsoft
Unix
IDS
Incidents
Virus
Pen-Test
Firewalls
Columnists
Mailing Lists
Newsletters
Bugtraq
Focus on IDS
Focus on Linux
Focus on Microsoft
Forensics
Pen-test
Security Basics
Vuln Dev
Vulnerabilities
Jobs
Job Opportunities
Resumes
Job Seekers
Employers
Tools
RSS
News
Vulns
Security Research
BugTraq
Back to list
|
Post reply
Re: Remote crash in tcpdump from OpenBSD
Dec 21 2003 05:48PM
mrh_tech yahoo com
In-Reply-To: <3FE4CAC1.8010306 (at) freebsd.lublin (dot) pl [email concealed]>
When an l2tp control packet is sent with optional bits set but containing invalid data, l2tp_avp_print() is passed this bad data.
Then, l2tp_avp_print() calls itself and continues an infinite loop of passing bad data to itself.
I had the consistent results sending:
\x82 (control+length bits)
\0x02 (version) then 10 bytes of zeros.
This is in print-l2tp.c
Lines: ~566-616
After commenting out (breaking the infinite loop):
~609: l2tp_avp_print(dat + len, length - len);
I was no longer able to crash tcpdump.
Obviously, properly validating the input is the real solution.
Tested on: OpenBSD 3.3 and 3.4
tcpdump: 3.4.0
libpcap" 0.5
Thanks,
Mike
[ reply ]
Privacy Statement
Copyright 2009, SecurityFocus
When an l2tp control packet is sent with optional bits set but containing invalid data, l2tp_avp_print() is passed this bad data.
Then, l2tp_avp_print() calls itself and continues an infinite loop of passing bad data to itself.
I had the consistent results sending:
\x82 (control+length bits)
\0x02 (version) then 10 bytes of zeros.
This is in print-l2tp.c
Lines: ~566-616
After commenting out (breaking the infinite loop):
~609: l2tp_avp_print(dat + len, length - len);
I was no longer able to crash tcpdump.
Obviously, properly validating the input is the real solution.
Tested on: OpenBSD 3.3 and 3.4
tcpdump: 3.4.0
libpcap" 0.5
Thanks,
Mike
[ reply ]