Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Remote crash in tcpdump from OpenBSD
From: Otto Moerbeek <otto () drijf net>
Date: Sat, 7 Aug 2004 20:45:30 +0200 (CEST)

On Fri, 6 Aug 2004, Balaram Amgoth wrote:

In-Reply-To: <20031221174837.14808.qmail () sf-www3-symnsj securityfocus com>

Hi Mike,
Will the following packet be enough to reproduce this problem.

char packet[] = "\x82\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";

FYI, this is a report from December 2003. This has been fixed in OpenBSD
3.4-stable and (then -current, now) 3.5. Feel free to expore this further, but I don't think this is very interesting material for this list, more than 7 months after the original report.


Thanks for your time in advance


Received: (qmail 9162 invoked from network); 22 Dec 2003 22:59:01 -0000
Received: from outgoing2.securityfocus.com (
 by mail.securityfocus.com with SMTP; 22 Dec 2003 22:59:01 -0000
Received: from lists2.securityfocus.com (lists2.securityfocus.com [])
        by outgoing2.securityfocus.com (Postfix) with QMQP
        id 910C48F350; Mon, 22 Dec 2003 10:01:02 -0700 (MST)
Mailing-List: contact bugtraq-help () securityfocus com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq () securityfocus com>
List-Help: <mailto:bugtraq-help () securityfocus com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe () securityfocus com>
List-Subscribe: <mailto:bugtraq-subscribe () securityfocus com>
Delivered-To: mailing list bugtraq () securityfocus com
Delivered-To: moderator for bugtraq () securityfocus com
Received: (qmail 20728 invoked from network); 21 Dec 2003 17:42:27 -0000
Date: 21 Dec 2003 17:48:37 -0000
Message-ID: <20031221174837.14808.qmail () sf-www3-symnsj securityfocus com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
From: <mrh_tech () yahoo com>
To: bugtraq () securityfocus com
Subject: Re: Remote crash in tcpdump from OpenBSD

In-Reply-To: <3FE4CAC1.8010306 () freebsd lublin pl>

When an l2tp control packet is sent with optional bits set but containing invalid data, l2tp_avp_print() is passed this 
bad data.
Then, l2tp_avp_print() calls itself and continues an infinite loop of passing bad data to itself.

I had the consistent results sending:
\x82 (control+length bits)
\0x02 (version) then 10 bytes of zeros.

This is in print-l2tp.c
Lines: ~566-616

After commenting out (breaking the infinite loop):
~609: l2tp_avp_print(dat + len, length - len);
I was no longer able to crash tcpdump.

Obviously, properly validating the input is the real solution.

Tested on: OpenBSD 3.3 and 3.4
tcpdump: 3.4.0
libpcap" 0.5


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]