bugfix from Jonathan Heusser <[email protected]>

  The first critical piece of code is found in print-isakmp.c:332. The
  function rawprint() does not check its arguments thus it's easy for
  an attacker to pass a big 'len' or a bogus 'loc' leading to a
  segmentation fault in the for loop.

  The second bug is located in print-radius.c:471. The for loop of
  print_attr_string() is written in an unsafe manner. 'length'
  and 'data' should be checked.

diff --git a/CREDITS b/CREDITS
index 1f1ae6e10126a91dbae662ebfbf9cc637739a855..36b967dda18f5063d4a756bada21d9e859946a7f 100644 (file)
--- a/CREDITS
+++ b/CREDITS
@@ -52,6 +52,7 @@ Additional people who have contributed patches:
        Jeffrey Hutzelman               <[email protected]>
        Jesper Peterson                 <[email protected]>
        Jim Hutchins                    <[email protected]>
+        Jonathan Heusser                <[email protected]>
        Tatuya Jinmei                   <[email protected]>
        Jørgen Thomsen                  <[email protected]> 
        Julian Cowley                   <[email protected]>

diff --git a/print-isakmp.c b/print-isakmp.c
index 7ca6171dad693af298e4ee016f1bcd1ae2142b7f..c0d56efd02467f4542ecb3fe11e603b254ddac27 100644 (file)
--- a/print-isakmp.c
+++ b/print-isakmp.c
@@ -30,7 +30,7 @@
 
 #ifndef lint
 static const char rcsid[] _U_ =
-    "@(#) $Header: /tcpdump/master/tcpdump/print-isakmp.c,v 1.36.2.5 2003-12-20 10:02:46 guy Exp $ (LBL)";
+    "@(#) $Header: /tcpdump/master/tcpdump/print-isakmp.c,v 1.36.2.6 2004-01-07 07:53:17 hannes Exp $ (LBL)";
 #endif
 
 #ifdef HAVE_CONFIG_H
@@ -327,9 +327,13 @@ rawprint(caddr_t loc, size_t len)
        static u_char *p;
        size_t i;
 
+       TCHECK2(*loc, len);
+       
        p = (u_char *)loc;
        for (i = 0; i < len; i++)
                printf("%02x", p[i] & 0xff);
+trunc:
+
 }
 
 struct attrmap {
@@ -1111,6 +1115,8 @@ isakmp_sub_print(u_char np, const struct isakmp_gen *ext, const u_char *ep,
        cp = (const u_char *)ext;
 
        while (np) {
+               TCHECK2(*ext, sizeof(e));
+               
                safememcpy(&e, ext, sizeof(e));
 
                if (ep < (u_char *)ext + ntohs(e.len)) {
@@ -1136,6 +1142,8 @@ isakmp_sub_print(u_char np, const struct isakmp_gen *ext, const u_char *ep,
                ext = (struct isakmp_gen *)cp;
        }
        return cp;
+trunc:
+       return NULL;
 }
 
 static char *

diff --git a/print-radius.c b/print-radius.c
index a8ec0db04a7002b79142c566c195391138b1d50c..77870f487476c7f8347e9e9a30d41dda3688445b 100644 (file)
--- a/print-radius.c
+++ b/print-radius.c
@@ -44,7 +44,7 @@
 
 #ifndef lint
 static const char rcsid[] _U_ =
-    "$Id: print-radius.c,v 1.19.2.2 2003-11-16 08:51:40 guy Exp $";
+    "$Id: print-radius.c,v 1.19.2.3 2004-01-07 07:53:17 hannes Exp $";
 #endif
 
 #ifdef HAVE_CONFIG_H
@@ -467,7 +467,7 @@ print_attr_string(register u_char *data, u_int length, u_short attr_code )
         break;
    }
 
-   for (i=0; i < length ; i++, data++)
+   for (i=0; *data && i < length ; i++, data++)
        printf("%c",(*data < 32 || *data > 128) ? '.' : *data );
 
    printf("}");