The first critical piece of code is found in print-isakmp.c:332. The
function rawprint() does not check its arguments thus it's easy for
an attacker to pass a big 'len' or a bogus 'loc' leading to a
segmentation fault in the for loop.
The second bug is located in print-radius.c:471. The for loop of
print_attr_string() is written in an unsafe manner. 'length'
and 'data' should be checked.
#ifndef lint
static const char rcsid[] _U_ =
#ifndef lint
static const char rcsid[] _U_ =
- "@(#) $Header: /tcpdump/master/tcpdump/print-isakmp.c,v 1.36.2.5 2003-12-20 10:02:46 guy Exp $ (LBL)";
+ "@(#) $Header: /tcpdump/master/tcpdump/print-isakmp.c,v 1.36.2.6 2004-01-07 07:53:17 hannes Exp $ (LBL)";
#endif
#ifdef HAVE_CONFIG_H
#endif
#ifdef HAVE_CONFIG_H
static u_char *p;
size_t i;
static u_char *p;
size_t i;
p = (u_char *)loc;
for (i = 0; i < len; i++)
printf("%02x", p[i] & 0xff);
p = (u_char *)loc;
for (i = 0; i < len; i++)
printf("%02x", p[i] & 0xff);
cp = (const u_char *)ext;
while (np) {
cp = (const u_char *)ext;
while (np) {
+ TCHECK2(*ext, sizeof(e));
+
safememcpy(&e, ext, sizeof(e));
if (ep < (u_char *)ext + ntohs(e.len)) {
safememcpy(&e, ext, sizeof(e));
if (ep < (u_char *)ext + ntohs(e.len)) {
ext = (struct isakmp_gen *)cp;
}
return cp;
ext = (struct isakmp_gen *)cp;
}
return cp;
#ifndef lint
static const char rcsid[] _U_ =
#ifndef lint
static const char rcsid[] _U_ =
- "$Id: print-radius.c,v 1.19.2.2 2003-11-16 08:51:40 guy Exp $";
+ "$Id: print-radius.c,v 1.19.2.3 2004-01-07 07:53:17 hannes Exp $";
#endif
#ifdef HAVE_CONFIG_H
#endif
#ifdef HAVE_CONFIG_H
- for (i=0; i < length ; i++, data++)
+ for (i=0; *data && i < length ; i++, data++)
printf("%c",(*data < 32 || *data > 128) ? '.' : *data );
printf("}");
printf("%c",(*data < 32 || *data > 128) ? '.' : *data );
printf("}");
projects / tcpdump / commitdiff
