On Wed, Dec 24, 2003 at 10:20:44AM -0500, MH wrote:
> The issue is with the way the l2tp_avp_print() and print_octets() functions in
> file print-l2tp.c handle input. In particular it seems this is in its handling of a
> bad
> length value. Even if the control message packet does not specify a length
> option (violation of RFC 2661) tcpdump will still try to interpret the length field
> instead of raising an error/shunning due to this malformed packet. The seg fault
> occurs when l2tp_avp_print() passes a bad length argument to print_octets() and
> sends
> it looping until it segfaults.
I've checked into the main and x.8 branches changes to check, at the
beginning of "l2tp_avp_print()", that
1) "len" is >= 6;
2) "len" is <= length;
and, if either of those are false, to quit dissecting and report
truncation.
Those should fix the problem - check them with the current CVS version
of tcpdump (or the next "current tar files" that come out, with version
1.17 or later of print-l2tp.c).
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]
