Re: [tcpdump-workers] Bugs in tcpdump-3.6.2 (fwd)

Juergen Schoenwaelder Mon, 23 Apr 2001 07:45:26 -0700

>>>>> nergal  writes:

nergal> Hello, I have sent the following to [EMAIL PROTECTED],
nergal> received no response. Could someone authoritative at least
nergal> confirm the existence of the outlined problems.

>> 2) Stack buffer oveflow in smi_decode_oid() smi_decode_oid() parses
>> data from the network and placed the results in the location
>> pointed to by its second argument (named oid). No bounds are
>> checked. The offending line 905 (placed in a loop) in print-snmp.c
>> reads: oid[(*oidlen)++] = o;
>> 
>> smi_decode_oid() is called e.g. by smi_print_variable(): static
>> SmiNode *smi_print_variable(struct be *elem) { unsigned int
>> oid[128], oidlen; SmiNode *smiNode = NULL; int i;
>> 
>> smi_decode_oid(elem, oid, &oidlen); As we see, "oid" array can be
>> overflowed. Remote code execution is imaginable.  One must notice
>> that in order to exploit this flaw: a) tcpdump must be compiled
>> with #define LIBSMI b) tcpdump must be run with -m flag c) probably
>> snaplen must be larger than default, around 200

The following patch should cure the problem. Can someone please put it
into the CVS?

/js

Index: print-snmp.c
===================================================================
RCS file: /tcpdump/master/tcpdump/print-snmp.c,v
retrieving revision 1.47
diff -u -r1.47 print-snmp.c
--- print-snmp.c        2001/03/22 02:06:43     1.47
+++ print-snmp.c        2001/04/23 14:29:55
@@ -849,7 +849,7 @@
 };
 
 static void smi_decode_oid(struct be *elem, unsigned int *oid,
-                          unsigned int *oidlen)
+                          unsigned int oidsize, unsigned int *oidlen)
 {
        u_char *p = (u_char *)elem->data.raw;
        u_int32_t asnlen = elem->asnlen;
@@ -865,10 +865,14 @@
                 */
                if (first < 0) {
                        first = 0;
-                       oid[(*oidlen)++] = o/OIDMUX;
+                       if (*oidlen < oidsize) {
+                           oid[(*oidlen)++] = o/OIDMUX;
+                       }
                        o %= OIDMUX;
                }
-               oid[(*oidlen)++] = o;
+               if (*oidlen < oidsize) {
+                   oid[(*oidlen)++] = o;
+               }
                o = 0;
        }
 }
@@ -965,7 +969,7 @@
        SmiNode *smiNode = NULL;
        int i;
 
-       smi_decode_oid(elem, oid, &oidlen);
+       smi_decode_oid(elem, oid, sizeof(oid)/sizeof(unsigned int), &oidlen);
        smiNode = smiGetNodeByOID(oidlen, oid);
        if (! smiNode) {
                asn1_print(elem);
@@ -1048,7 +1052,9 @@
                if (smiType->basetype == SMI_BASETYPE_BITS) {
                        /* print bit labels */
                } else {
-                       smi_decode_oid(elem, oid, &oidlen);
+                       smi_decode_oid(elem, oid,
+                                      sizeof(oid)/sizeof(unsigned int),
+                                      &oidlen);
                        smiNode = smiGetNodeByOID(oidlen, oid);
                        if (smiNode) {
                                if (vflag) {


-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
Re: [tcpdump-workers] Bugs in tcpdump-3.6.2 (fwd)

Reply via email to
