Remote crash in tcpdump from OpenBSD
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -------- Original Message --------
Subject: user/3610: repetable tcpdump remote crash
Resent-Date: Sat, 20 Dec 2003 08:55:02 -0700 (MST)
Resent-From: gnats@xxxxxxxxxxxxxxx (GNATS Filer)
Resent-To: bugs@xxxxxxxxxxxxxxx
Date: Sat, 20 Dec 2003 16:42:25 +0100 (CET)
From: venglin@xxxxxxxxxxxxxxxxx
Reply-To: venglin@xxxxxxxxxxxxxxxxx
To: gnats@xxxxxxxxxxx
>Number: 3610
>Category: user
>Synopsis: repetable tcpdump remote crash
>Confidential: yes
>Severity: critical
>Priority: high
>Responsible: bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sat Dec 20 15:50:02 GMT 2003
>Closed-Date:
>Last-Modified:
>Originator: Przemyslaw Frasunek
>Release: 3.3-RELEASE
>Organization:
net
>Environment:
System : OpenBSD 3.3
Architecture: OpenBSD.i386
Machine : i386
>Description:
Sending a packet containg 0xff,0x02 bytes to port 1701/udp causes
a L2TP protocol parser in tcpdump to enter an infinite loop, eating
all available memory and then segfaulting.
This bug also affects tcpdump in -CURRENT.
>How-To-Repeat:
tcpdump -i lo0 -n udp and dst port 1701 &
perl -e 'print "\xff\x02"' | nc -u localhost 1701
>Fix:
Unknown, recent versions of tcpdump are immune to this problem.
>Release-Note:
>Audit-Trail:
>Unformatted:
- --
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NICHDL: PMF9-RIPE *
* JID: venglin@xxxxxxxxxxxxxxx ** PGP ID: 2578FCAD ** HAM-RADIO: SQ8JIV *
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE/5HfykxEnBiV4/K0RApAkAKDMw3qheVAkGu3v2EvoCoq07C8ZYgCgh9sl
ZjwiNzK9di8oSMQ1XK/YF+g=
=Q0AT
-----END PGP SIGNATURE-----