Re: getname() vulnerabilitiy

[Guy Harris <guy () alum mit edu>]

On Feb 13, 2004, at 8:35 AM, Jonathan Heusser wrote:

> addrtoname.c:getname() does not check its argument.

It can't - it's not always passed a pointer to data in the packet.

I've gone through the code looking for calls to "getname()" or 
"ipaddr_string()", and added to the print routines the appropriate 
bounds checks (which is better than checking in "getname()", as that 
means that I also found *additional* places where bounds checks were 
needed, in code not using "getname()" or "ipaddr_string()").  I then 
removed the check from "getname()".

> Assuming the argument is e.g. NULL

If the argument is null, that's a bug in the print routine - it 
shouldn't be handing it a null pointer, and it won't be if it's handing 
it a pointer derived from the pointer into the packet, which it is in 
all cases.

> I found at least one place where this bug can be triggered, that
> is in print-isakmp.c:isakmp_id_print() line 707.

The calls to "ipaddr_string()" in "isakmp_id_print()" are now protected 
with a TCHECK2() call to make sure that all the bytes specified by the 
length are present *and* a check to make sure that the length is 
sufficiently large to cover an IP address - and it also checks that 
it's sufficiently large to cover the *rest* of the data (e.g., the mask 
in IPSECDOI_ID_IPV4_ADDR_SUBNET), and it checks IPv6 and other entries 
as well.

-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe