BugTraq
Re: Remote crash in tcpdump from OpenBSD Dec 21 2003 05:48PM
mrh_tech yahoo com
In-Reply-To: <3FE4CAC1.8010306 (at) freebsd.lublin (dot) pl [email concealed]>

When an l2tp control packet is sent with optional bits set but containing invalid data, l2tp_avp_print() is passed this bad data.

Then, l2tp_avp_print() calls itself and continues an infinite loop of passing bad data to itself.

I had the consistent results sending:

\x82 (control+length bits)

\0x02 (version) then 10 bytes of zeros.

This is in print-l2tp.c

Lines: ~566-616

After commenting out (breaking the infinite loop):

~609: l2tp_avp_print(dat + len, length - len);

I was no longer able to crash tcpdump.

Obviously, properly validating the input is the real solution.

Tested on: OpenBSD 3.3 and 3.4

tcpdump: 3.4.0

libpcap" 0.5

Thanks,

Mike

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus