On Wed, Sep 04, 2002 at 10:52:30PM -0700, Rob Braun wrote:
> If tcpdump recieves a packet with a link layer address length
> specified as 0, tcpdump will try to index into the address with
> (unsigned)-1. This prevents that invalid memory access (and subsequent crash).
> I encountered this with arp requests/responses with the link layer
> address length field (struct arphdr).ar_hln == 0;
Try it with the current CVS version of tcpdump; it checks both the
hardware address length to make sure it's not 0 *AND* the protocol
address length to make sure it's 4 and, if neither is true, it prints
the output the same way it does for protocol types other than IP and
Ethernet-trailer-IP.
> Index: addrtoname.c
> ===================================================================
> RCS file: /tcpdump/master/tcpdump/addrtoname.c,v
> retrieving revision 1.92
> diff -u -d -r1.92 addrtoname.c
> --- addrtoname.c 2002/08/07 13:53:21 1.92
> +++ addrtoname.c 2002/09/05 05:50:53
> @@ -447,6 +447,9 @@
> register char *cp;
> register struct enamemem *tp;
>
> + if (len == 0)
> + return NULL;
> +
That could still cause a crash, as there's no guarantee that
printf("%s\n", NULL);
won't crash. *Some* "printf" implementations print "(null)" in that
case, but others don't.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
