tcpdump mailing list archives
Re: getname() vulnerabilitiy
From: Guy Harris <guy () alum mit edu>
Date: Tue, 23 Mar 2004 20:16:44 -0800
On Feb 13, 2004, at 8:35 AM, Jonathan Heusser wrote:
addrtoname.c:getname() does not check its argument.
It can't - it's not always passed a pointer to data in the packet.I've gone through the code looking for calls to "getname()" or "ipaddr_string()", and added to the print routines the appropriate bounds checks (which is better than checking in "getname()", as that means that I also found *additional* places where bounds checks were needed, in code not using "getname()" or "ipaddr_string()"). I then removed the check from "getname()".
Assuming the argument is e.g. NULL
If the argument is null, that's a bug in the print routine - it shouldn't be handing it a null pointer, and it won't be if it's handing it a pointer derived from the pointer into the packet, which it is in all cases.
I found at least one place where this bug can be triggered, that is in print-isakmp.c:isakmp_id_print() line 707.
The calls to "ipaddr_string()" in "isakmp_id_print()" are now protected with a TCHECK2() call to make sure that all the bytes specified by the length are present *and* a check to make sure that the length is sufficiently large to cover an IP address - and it also checks that it's sufficiently large to cover the *rest* of the data (e.g., the mask in IPSECDOI_ID_IPV4_ADDR_SUBNET), and it checks IPv6 and other entries as well.
- This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- getname() vulnerabilitiy Jonathan Heusser (Feb 13)
- Re: getname() vulnerabilitiy Guy Harris (Mar 23)
- Re: getname() vulnerabilitiy Michael Richardson (Mar 24)
- Re: getname() vulnerabilitiy Guy Harris (Mar 24)
- Re: getname() vulnerabilitiy Michael Richardson (Mar 24)
- Re: getname() vulnerabilitiy Guy Harris (Mar 23)