Re: multiple vulnerabilities in tcpdump 3.8.1

[Hannes Gredler <hannes () juniper net>]

On Sun, Jan 04, 2004 at 10:23:42PM +0100, Jonathan Heusser wrote:
| Hello,
| 
| beside the l2tp vulnerability mentioned on this list this month, I found 
| two other locations in the code
| which an attacker could use to crash, or in the worst case exploit, 
| tcpdump.
| 
| The first critical piece of code is found in print-isakmp.c:332. The 
| function rawprint() does not
| check its arguments thus it's easy for an attacker to pass a big 'len' 
| or a bogus 'loc' leading to a
| segmentation fault in the for loop.
| rawprint() gets called at various places in print-isakmp.c.
| 
| The second bug is located in print-radius.c:471. The for loop of 
| print_attr_string() is written in an
| unsafe manner. 'length' and 'data' should be checked.
| print_attr_string() is called via a function pointer from 
| radius_attr_print() line 784 where no upper bound
| for 'rad_attr->len' is defined. This leads to a segmentation fault aswell.

checked in your [unicast] patch in 3_8 and head;

/hannes
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe