From: hannes <hannes>
Date: Wed, 7 Jan 2004 07:53:17 +0000 (+0000)
Subject: bugfix from Jonathan Heusser <jonny@drugphish.ch>
X-Git-Tag: tcpdump-3.8.2~45
X-Git-Url: https://git.tcpdump.org/tcpdump/commitdiff_plain/5c8ed3618aac34e300bc6ed5f02fabe1520f7b48

bugfix from Jonathan Heusser <jonny@drugphish.ch>

  The first critical piece of code is found in print-isakmp.c:332. The
  function rawprint() does not check its arguments thus it's easy for
  an attacker to pass a big 'len' or a bogus 'loc' leading to a
  segmentation fault in the for loop.

  The second bug is located in print-radius.c:471. The for loop of
  print_attr_string() is written in an unsafe manner. 'length'
  and 'data' should be checked.
---

diff --git a/CREDITS b/CREDITS
index 1f1ae6e1..36b967dd 100644
--- a/CREDITS
+++ b/CREDITS
@@ -52,6 +52,7 @@ Additional people who have contributed patches:
 	Jeffrey Hutzelman		<jhutz@cmu.edu>
 	Jesper Peterson			<jesper@endace.com>
 	Jim Hutchins			<jim@ca.sandia.gov>
+        Jonathan Heusser                <jonny@drugphish.ch>
 	Tatuya Jinmei			<jinmei@kame.net>
 	Jørgen Thomsen			<jth@jth.net> 
 	Julian Cowley			<julian@lava.net>
diff --git a/print-isakmp.c b/print-isakmp.c
index 7ca6171d..c0d56efd 100644
--- a/print-isakmp.c
+++ b/print-isakmp.c
@@ -30,7 +30,7 @@
 
 #ifndef lint
 static const char rcsid[] _U_ =
-    "@(#) $Header: /tcpdump/master/tcpdump/print-isakmp.c,v 1.36.2.5 2003-12-20 10:02:46 guy Exp $ (LBL)";
+    "@(#) $Header: /tcpdump/master/tcpdump/print-isakmp.c,v 1.36.2.6 2004-01-07 07:53:17 hannes Exp $ (LBL)";
 #endif
 
 #ifdef HAVE_CONFIG_H
@@ -327,9 +327,13 @@ rawprint(caddr_t loc, size_t len)
 	static u_char *p;
 	size_t i;
 
+	TCHECK2(*loc, len);
+	
 	p = (u_char *)loc;
 	for (i = 0; i < len; i++)
 		printf("%02x", p[i] & 0xff);
+trunc:
+
 }
 
 struct attrmap {
@@ -1111,6 +1115,8 @@ isakmp_sub_print(u_char np, const struct isakmp_gen *ext, const u_char *ep,
 	cp = (const u_char *)ext;
 
 	while (np) {
+		TCHECK2(*ext, sizeof(e));
+		
 		safememcpy(&e, ext, sizeof(e));
 
 		if (ep < (u_char *)ext + ntohs(e.len)) {
@@ -1136,6 +1142,8 @@ isakmp_sub_print(u_char np, const struct isakmp_gen *ext, const u_char *ep,
 		ext = (struct isakmp_gen *)cp;
 	}
 	return cp;
+trunc:
+	return NULL;
 }
 
 static char *
diff --git a/print-radius.c b/print-radius.c
index a8ec0db0..77870f48 100644
--- a/print-radius.c
+++ b/print-radius.c
@@ -44,7 +44,7 @@
 
 #ifndef lint
 static const char rcsid[] _U_ =
-    "$Id: print-radius.c,v 1.19.2.2 2003-11-16 08:51:40 guy Exp $";
+    "$Id: print-radius.c,v 1.19.2.3 2004-01-07 07:53:17 hannes Exp $";
 #endif
 
 #ifdef HAVE_CONFIG_H
@@ -467,7 +467,7 @@ print_attr_string(register u_char *data, u_int length, u_short attr_code )
         break;
    }
 
-   for (i=0; i < length ; i++, data++)
+   for (i=0; *data && i < length ; i++, data++)
        printf("%c",(*data < 32 || *data > 128) ? '.' : *data );
 
    printf("}");