Bugtraq: Re: Remote crash in tcpdump from OpenBSD

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Re: Remote crash in tcpdump from OpenBSD

From: <mrh_tech () yahoo com>
Date: 21 Dec 2003 17:48:37 -0000

In-Reply-To: <3FE4CAC1.8010306 () freebsd lublin pl>

When an l2tp control packet is sent with optional bits set but containing invalid data, l2tp_avp_print() is passed this 
bad data.
Then, l2tp_avp_print() calls itself and continues an infinite loop of passing bad data to itself.

I had the consistent results sending:
\x82 (control+length bits)
\0x02 (version) then 10 bytes of zeros.

This is in print-l2tp.c
Lines: ~566-616

After commenting out (breaking the infinite loop):
~609: l2tp_avp_print(dat + len, length - len);
I was no longer able to crash tcpdump.

Obviously, properly validating the input is the real solution.

Tested on: OpenBSD 3.3 and 3.4 
tcpdump: 3.4.0
libpcap" 0.5

Thanks,
Mike

By Date By Thread

Current thread:

Remote crash in tcpdump from OpenBSD Przemyslaw Frasunek (Dec 20)
- Re: Remote crash in tcpdump from OpenBSD Henning Brauer (Dec 20)
  - Re: Remote crash in tcpdump from OpenBSD Przemyslaw Frasunek (Dec 20)
- <Possible follow-ups>
- Re: Remote crash in tcpdump from OpenBSD mrh_tech (Dec 22)