On Wed, 2003-12-24 at 16:20, MH wrote:
> The first test sent tcpdump into an infinite loop because the l2tp_avp_print()
> function calls itself and passes bad data.
> uP: i386
> tcpdump: (up to 3.8.1)
> libpcap: 0.7.2
> os: Linux
> I have not been able to seg fault tcpdump on OpenBSD. And, the infinite looping
> does not occur on OpenBSD after applying Otto Moerbeek's patch.
>
> Can anyone else reproduce these results?
this patch should solve, please apply
--
mydecay
S.P.I.N.E. Group - http://www.spine-group.org
Key Fingerprint: 667A 4E73 EA53 66AC E2AB D0CA 2908 1484 1F26 4C40
GnuPG Key: http://www.spine-group.org/keys/mydecay.asc
--- print-l2tp.c.old 2003-12-24 19:35:08.429835456 +0100
+++ print-l2tp.c 2003-12-24 19:37:58.293012328 +0100
@@ -468,7 +468,6 @@
if (length <= 0) {
return;
}
-
printf(" ");
TCHECK(*ptr); /* Flags & Length */
@@ -493,7 +492,7 @@
printf("VENDOR%04x:", EXTRACT_16BITS(ptr)); ptr++;
printf("ATTR%04x", EXTRACT_16BITS(ptr)); ptr++;
printf("(");
- print_octets((u_char *)ptr, len-6);
+ print_octets((u_char *)ptr, strlen(ptr));
printf(")");
} else {
/* IETF-defined Attributes */
@@ -594,7 +593,8 @@
printf(")");
}
- l2tp_avp_print(dat+len, length-len);
+ if (length >= len && len > 0)
+ l2tp_avp_print(dat+len, length-len);
return;
trunc:
