[10864] in bugtraq
Re: tcpdump 3.4 bug? (final)
daemon@ATHENA.MIT.EDU (acpizer)
Sun Jun 20 13:45:20 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.NEB.3.96.990620090814.9030A-100000@mach.unseen.org>
Date: Sun, 20 Jun 1999 09:17:32 +0100
Reply-To: acpizer <acpizer@MACH.UNSEEN.ORG>
From: acpizer <acpizer@MACH.UNSEEN.ORG>
To: BUGTRAQ@NETSPACE.ORG
Hi again,
Thanks goes to Markus Peuhkuri for pointing out that the minimum length
of an IP packet is actually 20 bytes, (I'm useless w/o a copy of TCP/IP
Illustrated in front of me), anyway, here is a final patch, also don't
forget to run tcpdump with the -v parameter if you want to see the source
address of the offensive packet.
Are the guys at LBL reading bugtraq? (tcpdump on ftp.ee.lbl.gov isn't
updated yet...)
maybe they don't think it's a bug since routers drop the packet anyway,
how aobut attacking machines which run tcpdump locally on the LAN?
*** print-ip.orig.c Thu Jun 17 11:24:17 1999
--- print-ip.c Sun Jun 20 11:04:20 1999
*************** ip_print(register const u_char *bp, regi
*** 440,445 ****
--- 440,451 ----
(void)printf("%s > %s: ",
ipaddr_string(&ip->ip_src),
ipaddr_string(&ip->ip_dst));
+
+ if (ip->ip_hl < 5) {
+ (void)printf("Bad ip-in-ip encapsulation (hl < 5) Possible attack!");
+ return;
+ }
+
ip_print(cp, len);
if (! vflag) {
printf(" (ipip)");
Cheers.
-------------------------------------------------------------------------------
"Probably you've only really grown up, when you can bear not being understood."
Marian Gold /Alphaville
