From: Guy Harris <guy@alum.mit.edu>
Date: Mon, 6 Feb 2017 22:33:50 +0000 (-0800)
Subject: CVE-2017-12990/Fix printing of ISAKMPv1 Notification payload data.
X-Git-Tag: tcpdump-4.99-bp~1967
X-Git-Url: https://git.tcpdump.org/tcpdump/commitdiff_plain/c2ef693866beae071a24b45c49f9674af1df4028

CVE-2017-12990/Fix printing of ISAKMPv1 Notification payload data.

The closest thing to a specification for the contents of the payload
data is draft-ietf-ipsec-notifymsg-04, and nothing in there says that it
is ever a complete ISAKMP message, so don't dissect types we don't have
specific code for as a complete ISAKMP message.

While we're at it, fix a comment, and clean up printing of V1 Nonce,
V2 Authentication payloads, and v2 Notice payloads.

This fixes an infinite loop discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.

Add a test using the capture file supplied by the reporter(s).
---

diff --git a/print-isakmp.c b/print-isakmp.c
index 2fa15b86..9de9b75d 100644
--- a/print-isakmp.c
+++ b/print-isakmp.c
@@ -428,7 +428,7 @@ struct notify_messages {
 	char     *msg;
 };
 
-/* 3.8 Notification Payload */
+/* 3.8 Authentication Payload */
 struct ikev2_auth {
 	struct isakmp_gen h;
 	uint8_t  auth_method;  /* Protocol-ID */
@@ -1590,15 +1590,20 @@ ikev1_nonce_print(netdissect_options *ndo, u_char tpay _U_,
 
 	ND_TCHECK(*ext);
 	UNALIGNED_MEMCPY(&e, ext, sizeof(e));
-	ND_PRINT((ndo," n len=%d", ntohs(e.len) - 4));
-	if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
-		ND_PRINT((ndo," "));
-		if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
-			goto trunc;
-	} else if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
-		ND_PRINT((ndo," "));
-		if (!ike_show_somedata(ndo, (const u_char *)(const uint8_t *)(ext + 1), ep))
-			goto trunc;
+	/*
+	 * Our caller has ensured that the length is >= 4.
+	 */
+	ND_PRINT((ndo," n len=%u", ntohs(e.len) - 4));
+	if (ntohs(e.len) > 4) {
+		if (ndo->ndo_vflag > 2) {
+			ND_PRINT((ndo, " "));
+			if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
+				goto trunc;
+		} else if (ndo->ndo_vflag > 1) {
+			ND_PRINT((ndo, " "));
+			if (!ike_show_somedata(ndo, (const u_char *)(ext + 1), ep))
+				goto trunc;
+		}
 	}
 	return (const u_char *)ext + ntohs(e.len);
 trunc:
@@ -1609,8 +1614,8 @@ trunc:
 static const u_char *
 ikev1_n_print(netdissect_options *ndo, u_char tpay _U_,
 	      const struct isakmp_gen *ext, u_int item_len,
-	      const u_char *ep, uint32_t phase, uint32_t doi0 _U_,
-	      uint32_t proto0 _U_, int depth)
+	      const u_char *ep, uint32_t phase _U_, uint32_t doi0 _U_,
+	      uint32_t proto0 _U_, int depth _U_)
 {
 	const struct ikev1_pl_n *p;
 	struct ikev1_pl_n n;
@@ -1712,35 +1717,41 @@ ikev1_n_print(netdissect_options *ndo, u_char tpay _U_,
 	ep2 = (const u_char *)p + item_len;
 
 	if (cp < ep) {
-		ND_PRINT((ndo," orig=("));
 		switch (ntohs(n.type)) {
 		case IPSECDOI_NTYPE_RESPONDER_LIFETIME:
 		    {
 			const struct attrmap *map = oakley_t_map;
 			size_t nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
+			ND_PRINT((ndo," attrs=("));
 			while (cp < ep && cp < ep2) {
 				cp = ikev1_attrmap_print(ndo, cp,
 					(ep < ep2) ? ep : ep2, map, nmap);
 			}
+			ND_PRINT((ndo,")"));
 			break;
 		    }
 		case IPSECDOI_NTYPE_REPLAY_STATUS:
+			ND_PRINT((ndo," status=("));
 			ND_PRINT((ndo,"replay detection %sabled",
 				  EXTRACT_32BITS(cp) ? "en" : "dis"));
-			break;
-		case ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN:
-			if (ikev1_sub_print(ndo, ISAKMP_NPTYPE_SA,
-					    (const struct isakmp_gen *)cp, ep, phase, doi, proto,
-					    depth) == NULL)
-				return NULL;
+			ND_PRINT((ndo,")"));
 			break;
 		default:
-			/* NULL is dummy */
-			isakmp_print(ndo, cp,
-				     item_len - sizeof(*p) - n.spi_size,
-				     NULL);
+			/*
+			 * XXX - fill in more types here; see, for example,
+			 * draft-ietf-ipsec-notifymsg-04.
+			 */
+			if (ndo->ndo_vflag > 3) {
+				ND_PRINT((ndo," data=("));
+				if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp))
+					goto trunc;
+				ND_PRINT((ndo,")"));
+			} else {
+				if (!ike_show_somedata(ndo, cp, ep))
+					goto trunc;
+			}
+			break;
 		}
-		ND_PRINT((ndo,")"));
 	}
 	return (const u_char *)ext + item_len;
 trunc:
@@ -2264,16 +2275,21 @@ ikev2_auth_print(netdissect_options *ndo, u_char tpay,
 	ikev2_pay_print(ndo, NPSTR(tpay), a.h.critical);
 	len = ntohs(a.h.len);
 
-	ND_PRINT((ndo," len=%d method=%s", len-4,
+	/*
+	 * Our caller has ensured that the length is >= 4.
+	 */
+	ND_PRINT((ndo," len=%u method=%s", len-4,
 		  STR_OR_ID(a.auth_method, v2_auth)));
-
-	if (1 < ndo->ndo_vflag && 4 < len) {
-		ND_PRINT((ndo," authdata=("));
-		if (!rawprint(ndo, (const uint8_t *)authdata, len - sizeof(a)))
-			goto trunc;
-		ND_PRINT((ndo,") "));
-	} else if(ndo->ndo_vflag && 4 < len) {
-		if(!ike_show_somedata(ndo, authdata, ep)) goto trunc;
+	if (len > 4) {
+		if (ndo->ndo_vflag > 1) {
+			ND_PRINT((ndo, " authdata=("));
+			if (!rawprint(ndo, (const uint8_t *)authdata, len - sizeof(a)))
+				goto trunc;
+			ND_PRINT((ndo, ") "));
+		} else if (ndo->ndo_vflag) {
+			if (!ike_show_somedata(ndo, authdata, ep))
+				goto trunc;
+		}
 	}
 
 	return (const u_char *)ext + len;
@@ -2322,7 +2338,7 @@ ikev2_n_print(netdissect_options *ndo, u_char tpay _U_,
 	const struct ikev2_n *p;
 	struct ikev2_n n;
 	const u_char *cp;
-	u_char showspi, showdata, showsomedata;
+	u_char showspi, showsomedata;
 	const char *notify_name;
 	uint32_t type;
 
@@ -2332,7 +2348,6 @@ ikev2_n_print(netdissect_options *ndo, u_char tpay _U_,
 	ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_N), n.h.critical);
 
 	showspi = 1;
-	showdata = 0;
 	showsomedata=0;
 	notify_name=NULL;
 
@@ -2446,7 +2461,6 @@ ikev2_n_print(netdissect_options *ndo, u_char tpay _U_,
 		notify_name = "cookie";
 		showspi = 1;
 		showsomedata= 1;
-		showdata= 0;
 		break;
 
 	case IV2_NOTIFY_USE_TRANSPORT_MODE:
@@ -2499,19 +2513,17 @@ ikev2_n_print(netdissect_options *ndo, u_char tpay _U_,
 
 	cp = (const u_char *)(p + 1) + n.spi_size;
 
-	if(3 < ndo->ndo_vflag) {
-		showdata = 1;
-	}
-
-	if ((showdata || (showsomedata && ep-cp < 30)) && cp < ep) {
-		ND_PRINT((ndo," data=("));
-		if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp))
-			goto trunc;
-
-		ND_PRINT((ndo,")"));
+	if (cp < ep) {
+		if (ndo->ndo_vflag > 3 || (showsomedata && ep-cp < 30)) {
+			ND_PRINT((ndo," data=("));
+			if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp))
+				goto trunc;
 
-	} else if(showsomedata && cp < ep) {
-		if(!ike_show_somedata(ndo, cp, ep)) goto trunc;
+			ND_PRINT((ndo,")"));
+		} else if (showsomedata) {
+			if (!ike_show_somedata(ndo, cp, ep))
+				goto trunc;
+		}
 	}
 
 	return (const u_char *)ext + item_len;
@@ -3091,7 +3103,3 @@ trunc:
  * c-basic-offset: 8
  * End:
  */
-
-
-
-
diff --git a/tests/TESTLIST b/tests/TESTLIST
index 1e162401..ed5b82aa 100644
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -465,6 +465,7 @@ tok2str-oobr-2		tok2str-oobr-2.pcap		tok2str-oobr-2.out	-vvv -e
 eigrp-tlv-oobr		eigrp-tlv-oobr.pcap		eigrp-tlv-oobr.out	-vvv -e
 zephyr-oobr		zephyr-oobr.pcap		zephyr-oobr.out		-vvv -e
 bgp-as-path-oobr	bgp-as-path-oobr.pcap		bgp-as-path-oobr.out	-vvv -e
+isakmp-no-none-np	isakmp-no-none-np.pcap		isakmp-no-none-np.out	-vvv -e
 
 # RTP tests
 # fuzzed pcap
diff --git a/tests/isakmp-no-none-np.out b/tests/isakmp-no-none-np.out
new file mode 100644
index 00000000..eb91c804
--- /dev/null
+++ b/tests/isakmp-no-none-np.out
@@ -0,0 +1,78 @@
+00:0c:29:86:c8:36 > 00:1a:4b:6a:ce:fe, ethertype IPv4 (0x0800), length 2228: (tos 0x0, ttl 128, id 28793, offset 0, flags [none], proto UDP (17), length 2214)
+    192.168.1.25.500 > 192.168.1.10.500: [udp sum ok] isakmp 1.0 msgid 5f724dc6 cookie 0000000000000000->0000000000000000: phase 2/others ? inf:
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=000000000b1005005f724dc600000054 data=(0b00001c000000010110...0100000700000000000000000000000000000000))
+    (n: doi=ipsec proto=isakmp type=INVALID-MAJOR-VERSION spi=0000000000000000000000000010ba00 data=(00ff1d00020082001101...0100000700000000000000000000000000000000)) [|n] (len mismatch: isakmp 84/ip 2186)
diff --git a/tests/isakmp-no-none-np.pcap b/tests/isakmp-no-none-np.pcap
new file mode 100644
index 00000000..fd388d61
Binary files /dev/null and b/tests/isakmp-no-none-np.pcap differ