tcpdump mailing list archives

Bug in print-ppp.c

From: Darren Reed <darrenr () reed wattle id au>
Date: Tue, 13 Jul 2004 15:04:43 +1000 (EST)

I've come across a packet that causes me to get a stack trace something
like this:
#0  0x00000000 in ?? ()
#1  0x0807a0bd in handle_ctrl_proto (proto=32855, pptr=0x8195c82 "\001", length=14) at print-ppp.c:450
#2  0x0807be24 in handle_ppp (proto=32855, p=0x8195c82 "\001", length=14) at print-ppp.c:1143
#3  0x0807c072 in ppp_print (p=0x8195c82 "\001", length=14) at print-ppp.c:1229
#4  0x0805fd22 in gre_print_1 (bp=0x8195c80 "\200W\001", length=28) at print-gre.c:305
#5  0x0805f757 in gre_print (bp=0x8195c74 "0\001\210\v", length=28) at print-gre.c:108
#6  0x080634c2 in ip_print (bp=0x8195c60 "E", length=48) at print-ip.c:606
#7  0x08060307 in gtpv1u_print (bp=0x8195c60 "E", length=48) at print-gtp.c:323
#8  0x080919d6 in udp_print (bp=0x8195c4c "\bh\bh", length=60, bp2=0x8195c38 "E", fragmented=0) at print-udp.c:635
#9  0x080633b9 in ip_print (bp=0x8195c38 "E", length=88) at print-ip.c:539
#10 0x0805e062 in ether_encap_print (ether_type=2048, p=0x8195c38 "E", length=88, caplen=88, 
extracted_ether_type=0xbffff2d0)
    at print-ether.c:189
#11 0x0805de85 in ether_print (p=0x8195c38 "E", length=88, caplen=88) at print-ether.c:142
#12 0x0805def3 in ether_if_print (h=0xbffff340, p=0x8195c2a "") at print-ether.c:162
#13 0x08094fc9 in print_packet (user=0xbffff520 "ÖÞ\005\b", h=0xbffff340, sp=0x8195c2a "") at tcpdump.c:1188
#14 0x080a389a in pcap_offline_read ()
#15 0x0809b486 in pcap_loop ()
#16 0x08094b55 in main (argc=5, argv=0xbffff594) at tcpdump.c:997
#17 0x420158d4 in __libc_start_main () from /lib/i686/libc.so.6

Somewhere around like 445, print-ppp.c has:
                        default:
                                /*
                                 * This should never happen, but we set
                                 * "pfunc" to squelch uninitialized
                                 * variable warnings from compilers.
                                 */
                                pfunc = NULL;
                                break;
                        }

Adding a printout after the closing }, I see this for one packet:
pfunc (nil) tptr 0x8195c86 len 14 x 10 proto 0x8057 ptr 0x8195c82 length 14

We've come here from handle_ppp() which calls handl_ctrl_proto() for
PPP_IPV6CP.

This patch (modulo white space) solves this problem for now.

*** print-ppp.c 8 Jul 2004 11:10:37 -0000       1.2
--- print-ppp.c 13 Jul 2004 05:01:15 -0000
***************
*** 447,452 ****
--- 447,454 ----
                                pfunc = NULL;
                                break;
                        }
+                       if (pfunc == NULL)
+                               break;
                        if ((j = (*pfunc)(tptr, len)) == 0)
                                break;
                        x -= j;

Darren
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Current thread:

Bug in print-ppp.c Darren Reed (Jul 12)
- Re: Bug in print-ppp.c Hannes Gredler (Jul 13)
- Re: Bug in print-ppp.c Romain Francoise (Jul 24)
  - Re: Bug in print-ppp.c Darren Reed (Jul 25)
    - Re: Bug in print-ppp.c Romain Francoise (Jul 25)