tcpdump mailing list archives
Re: multiple vulnerabilities in tcpdump 3.8.1
From: Hannes Gredler <hannes () juniper net>
Date: Wed, 7 Jan 2004 08:57:11 +0100
On Sun, Jan 04, 2004 at 10:23:42PM +0100, Jonathan Heusser wrote: | Hello, | | beside the l2tp vulnerability mentioned on this list this month, I found | two other locations in the code | which an attacker could use to crash, or in the worst case exploit, | tcpdump. | | The first critical piece of code is found in print-isakmp.c:332. The | function rawprint() does not | check its arguments thus it's easy for an attacker to pass a big 'len' | or a bogus 'loc' leading to a | segmentation fault in the for loop. | rawprint() gets called at various places in print-isakmp.c. | | The second bug is located in print-radius.c:471. The for loop of | print_attr_string() is written in an | unsafe manner. 'length' and 'data' should be checked. | print_attr_string() is called via a function pointer from | radius_attr_print() line 784 where no upper bound | for 'rad_attr->len' is defined. This leads to a segmentation fault aswell. checked in your [unicast] patch in 3_8 and head; /hannes - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- multiple vulnerabilities in tcpdump 3.8.1 Jonathan Heusser (Jan 04)
- Re: multiple vulnerabilities in tcpdump 3.8.1 Hannes Gredler (Jan 07)