lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: 21 Dec 2003 17:48:37 -0000
From: <mrh_tech@...oo.com>
To: bugtraq@...urityfocus.com
Subject: Re: Remote crash in tcpdump from OpenBSD


In-Reply-To: <3FE4CAC1.8010306@...ebsd.lublin.pl>

When an l2tp control packet is sent with optional bits set but containing invalid data, l2tp_avp_print() is passed this bad data.
Then, l2tp_avp_print() calls itself and continues an infinite loop of passing bad data to itself.

I had the consistent results sending:
\x82 (control+length bits)
\0x02 (version) then 10 bytes of zeros.

This is in print-l2tp.c
Lines: ~566-616

After commenting out (breaking the infinite loop):
~609: l2tp_avp_print(dat + len, length - len);
I was no longer able to crash tcpdump.

Obviously, properly validating the input is the real solution.

Tested on: OpenBSD 3.3 and 3.4 
tcpdump: 3.4.0
libpcap" 0.5

Thanks,
Mike

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ