lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Sat, 7 Aug 2004 20:45:30 +0200 (CEST)
From: Otto Moerbeek <otto@...jf.net>
To: Balaram Amgoth <ramgoth@...oo.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: Remote crash in tcpdump from OpenBSD




On Fri, 6 Aug 2004, Balaram Amgoth wrote:

> In-Reply-To: <20031221174837.14808.qmail@...www3-symnsj.securityfocus.com>
>
> Hi Mike,
> Will the following packet be enough to reproduce this problem.
>
> char packet[] = "\x82\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";

FYI, this is a report from December 2003. This has been fixed in OpenBSD
3.4-stable and (then -current, now) 3.5. Feel free to expore this further, 
but I don't think this is very interesting material for this list, more 
than 7 months after the original report.

 	-Otto

>
> Thanks for your time in advance
>
> Balaram
>
>
>
>> Received: (qmail 9162 invoked from network); 22 Dec 2003 22:59:01 -0000
>> Received: from outgoing2.securityfocus.com (205.206.231.26)
>>  by mail.securityfocus.com with SMTP; 22 Dec 2003 22:59:01 -0000
>> Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
>> 	by outgoing2.securityfocus.com (Postfix) with QMQP
>> 	id 910C48F350; Mon, 22 Dec 2003 10:01:02 -0700 (MST)
>> Mailing-List: contact bugtraq-help@...urityfocus.com; run by ezmlm
>> Precedence: bulk
>> List-Id: <bugtraq.list-id.securityfocus.com>
>> List-Post: <mailto:bugtraq@...urityfocus.com>
>> List-Help: <mailto:bugtraq-help@...urityfocus.com>
>> List-Unsubscribe: <mailto:bugtraq-unsubscribe@...urityfocus.com>
>> List-Subscribe: <mailto:bugtraq-subscribe@...urityfocus.com>
>> Delivered-To: mailing list bugtraq@...urityfocus.com
>> Delivered-To: moderator for bugtraq@...urityfocus.com
>> Received: (qmail 20728 invoked from network); 21 Dec 2003 17:42:27 -0000
>> Date: 21 Dec 2003 17:48:37 -0000
>> Message-ID: <20031221174837.14808.qmail@...www3-symnsj.securityfocus.com>
>> Content-Type: text/plain
>> Content-Disposition: inline
>> Content-Transfer-Encoding: binary
>> MIME-Version: 1.0
>> X-Mailer: MIME-tools 5.411 (Entity 5.404)
>> From: <mrh_tech@...oo.com>
>> To: bugtraq@...urityfocus.com
>> Subject: Re: Remote crash in tcpdump from OpenBSD
>>
>> In-Reply-To: <3FE4CAC1.8010306@...ebsd.lublin.pl>
>>
>> When an l2tp control packet is sent with optional bits set but containing invalid data, l2tp_avp_print() is passed this bad data.
>> Then, l2tp_avp_print() calls itself and continues an infinite loop of passing bad data to itself.
>>
>> I had the consistent results sending:
>> \x82 (control+length bits)
>> \0x02 (version) then 10 bytes of zeros.
>>
>> This is in print-l2tp.c
>> Lines: ~566-616
>>
>> After commenting out (breaking the infinite loop):
>> ~609: l2tp_avp_print(dat + len, length - len);
>> I was no longer able to crash tcpdump.
>>
>> Obviously, properly validating the input is the real solution.
>>
>> Tested on: OpenBSD 3.3 and 3.4
>> tcpdump: 3.4.0
>> libpcap" 0.5
>>
>> Thanks,
>> Mike
>>
>>
>>
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ