On Sun, Jan 04, 2004 at 10:23:42PM +0100, Jonathan Heusser wrote: | Hello, | | beside the l2tp vulnerability mentioned on this list this month, I found | two other locations in the code | which an attacker could use to crash, or in the worst case exploit, | tcpdump. | | The first critical piece of code is found in print-isakmp.c:332. The | function rawprint() does not | check its arguments thus it's easy for an attacker to pass a big 'len' | or a bogus 'loc' leading to a | segmentation fault in the for loop. | rawprint() gets called at various places in print-isakmp.c. | | The second bug is located in print-radius.c:471. The for loop of | print_attr_string() is written in an | unsafe manner. 'length' and 'data' should be checked. | print_attr_string() is called via a function pointer from | radius_attr_print() line 784 where no upper bound | for 'rad_attr->len' is defined. This leads to a segmentation fault aswell.
checked in your [unicast] patch in 3_8 and head; /hannes - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]
