On Sun, Dec 17, 2000 at 12:52:06PM -0800, Bill Fenner wrote:
> I'm happy to have more than 2 people doing the audit but it's not obvious
> that there are more than 2 stuckees =)
Some packet printers, when doing bounds checking, look only at the
actual packet length - this isn't good enough, as the captured length
may be less than the actual length.
Others look only at the captured length, or they use the
TCHECK/TCHECK2/TTEST/TTEST2 macros which, in effect, look only at the
captured length, or they directly use "snapend", which, in effect, looks
only at the captured length.
I suppose a sufficiently bogus capture could have the actual packet
length *less* than the captured length; should we either arrange that
1) "sf_next_packet()", in "libpcap/savefile.c", after doing
checks for version 2.3 files without the lengths switch and
checks for Solaris 2.3 bugs, either return an error if
"caplen" is greater than "len" or silently truncate "caplen" to
the minimum of "caplen" and "len"
or
2) all the "XXX_if_print" routines in tcpdump do that check?
(I'd vote for silently truncating "caplen" in "sf_next_packet()", and,
whilst we're at it, auditing all the "pcap-XXX.c" files to make sure
they won't ever give you a "caplen" greater than "len" on a live
capture.)
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
