bugfix from Jonathan Heusser <[email protected]>

  The first critical piece of code is found in print-isakmp.c:332. The
  function rawprint() does not check its arguments thus it's easy for
  an attacker to pass a big 'len' or a bogus 'loc' leading to a
  segmentation fault in the for loop.

  The second bug is located in print-radius.c:471. The for loop of
  print_attr_string() is written in an unsafe manner. 'length'
  and 'data' should be checked.

diff --git a/CREDITS b/CREDITS
index 0183a819e9be50d4c25c4ba1b6d947cf3004ecbb..40e4d3620e0d77ccea94d93f49a8bb93cf711553 100644 (file)
--- a/CREDITS
+++ b/CREDITS
@@ -53,6 +53,7 @@ Additional people who have contributed patches:
        Jeffrey Hutzelman               <[email protected]>
        Jesper Peterson                 <[email protected]>
        Jim Hutchins                    <[email protected]>
+        Jonathan Heusser                <[email protected]>
        Tatuya Jinmei                   <[email protected]>
        Jørgen Thomsen                  <[email protected]> 
        Julian Cowley                   <[email protected]>

diff --git a/print-isakmp.c b/print-isakmp.c
index 84d4c5de085291668cd4a1f7c12d1ce1af9dc48d..49e798c933c5279d032bf621fc139588a1c70ead 100644 (file)
--- a/print-isakmp.c
+++ b/print-isakmp.c
@@ -30,7 +30,7 @@
 
 #ifndef lint
 static const char rcsid[] _U_ =
-    "@(#) $Header: /tcpdump/master/tcpdump/print-isakmp.c,v 1.41 2003-12-20 10:03:19 guy Exp $ (LBL)";
+    "@(#) $Header: /tcpdump/master/tcpdump/print-isakmp.c,v 1.42 2004-01-07 08:00:51 hannes Exp $ (LBL)";
 #endif
 
 #ifdef HAVE_CONFIG_H
@@ -327,9 +327,13 @@ rawprint(caddr_t loc, size_t len)
        static u_char *p;
        size_t i;
 
+       TCHECK2(*loc, len);
+       
        p = (u_char *)loc;
        for (i = 0; i < len; i++)
                printf("%02x", p[i] & 0xff);
+trunc:
+
 }
 
 struct attrmap {
@@ -1111,6 +1115,8 @@ isakmp_sub_print(u_char np, const struct isakmp_gen *ext, const u_char *ep,
        cp = (const u_char *)ext;
 
        while (np) {
+               TCHECK2(*ext, sizeof(e));
+               
                safememcpy(&e, ext, sizeof(e));
 
                if (ep < (u_char *)ext + ntohs(e.len)) {
@@ -1136,6 +1142,8 @@ isakmp_sub_print(u_char np, const struct isakmp_gen *ext, const u_char *ep,
                ext = (struct isakmp_gen *)cp;
        }
        return cp;
+trunc:
+       return NULL;
 }
 
 static char *

diff --git a/print-radius.c b/print-radius.c
index 577a327ffcb807f1359482b1ea8a5078abe7d41a..d388a8f1278fcc50fc044501e9f75314650637fc 100644 (file)
--- a/print-radius.c
+++ b/print-radius.c
@@ -44,7 +44,7 @@
 
 #ifndef lint
 static const char rcsid[] _U_ =
-    "$Id: print-radius.c,v 1.23 2003-12-15 13:52:15 hannes Exp $";
+    "$Id: print-radius.c,v 1.24 2004-01-07 08:00:52 hannes Exp $";
 #endif
 
 #ifdef HAVE_CONFIG_H
@@ -476,7 +476,7 @@ print_attr_string(register u_char *data, u_int length, u_short attr_code )
         break;
    }
 
-   for (i=0; i < length ; i++, data++)
+   for (i=0; *data && i < length ; i++, data++)
        printf("%c",(*data < 32 || *data > 128) ? '.' : *data );
 
    return;