[32936] in bugtraq
Re: Remote crash in tcpdump from OpenBSD
daemon@ATHENA.MIT.EDU (mrh_tech@yahoo.com)
Mon Dec 22 18:56:46 2003
Date: 21 Dec 2003 17:48:37 -0000
Message-ID: <20031221174837.14808.qmail@sf-www3-symnsj.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: <mrh_tech@yahoo.com>
To: bugtraq@securityfocus.com
In-Reply-To: <3FE4CAC1.8010306@freebsd.lublin.pl>
When an l2tp control packet is sent with optional bits set but containing invalid data, l2tp_avp_print() is passed this bad data.
Then, l2tp_avp_print() calls itself and continues an infinite loop of passing bad data to itself.
I had the consistent results sending:
\x82 (control+length bits)
\0x02 (version) then 10 bytes of zeros.
This is in print-l2tp.c
Lines: ~566-616
After commenting out (breaking the infinite loop):
~609: l2tp_avp_print(dat + len, length - len);
I was no longer able to crash tcpdump.
Obviously, properly validating the input is the real solution.
Tested on: OpenBSD 3.3 and 3.4
tcpdump: 3.4.0
libpcap" 0.5
Thanks,
Mike
