bugfix from Jonathan Heusser <jonny@drugphish.ch>

The first critical piece of code is found in print-isakmp.c:332. The function rawprint() does not check its arguments thus it's easy for an attacker to pass a big 'len' or a bogus 'loc' leading to a segmentation fault in the for loop. The second bug is located in print-radius.c:471. The for loop of print_attr_string() is written in an unsafe manner. 'length' and 'data' should be checked.
2024-11-27 12:03:44 +08:00 · 2004-01-07 08:00:51 +00:00 · 2004-01-07 08:00:51 +00:00 · e0d20f2c08
commit e0d20f2c08
parent de464d5e30
3 changed files with 12 additions and 3 deletions
--- a/1
+++ b/1
@ -53,6 +53,7 @@ Additional people who have contributed patches:
 	Jeffrey Hutzelman		<jhutz@cmu.edu>
 	Jesper Peterson			<jesper@endace.com>
 	Jim Hutchins			<jim@ca.sandia.gov>
+        Jonathan Heusser                <jonny@drugphish.ch>
 	Tatuya Jinmei			<jinmei@kame.net>
 	Jørgen Thomsen			<jth@jth.net> 
 	Julian Cowley			<julian@lava.net>
--- a/print-isakmp.c
+++ b/print-isakmp.c
@ -30,7 +30,7 @@

 #ifndef lint
 static const char rcsid[] _U_ =
-    "@(#) $Header: /tcpdump/master/tcpdump/print-isakmp.c,v 1.41 2003-12-20 10:03:19 guy Exp $ (LBL)";
+    "@(#) $Header: /tcpdump/master/tcpdump/print-isakmp.c,v 1.42 2004-01-07 08:00:51 hannes Exp $ (LBL)";
 #endif

 #ifdef HAVE_CONFIG_H
@ -327,9 +327,13 @@ rawprint(caddr_t loc, size_t len)
 	static u_char *p;
 	size_t i;

+	TCHECK2(*loc, len);
+	
 	p = (u_char *)loc;
 	for (i = 0; i < len; i++)
 		printf("%02x", p[i] & 0xff);
+trunc:
+
 }

 struct attrmap {
@ -1111,6 +1115,8 @@ isakmp_sub_print(u_char np, const struct isakmp_gen *ext, const u_char *ep,
 	cp = (const u_char *)ext;

 	while (np) {
+		TCHECK2(*ext, sizeof(e));
+		
 		safememcpy(&e, ext, sizeof(e));

 		if (ep < (u_char *)ext + ntohs(e.len)) {
@ -1136,6 +1142,8 @@ isakmp_sub_print(u_char np, const struct isakmp_gen *ext, const u_char *ep,
 		ext = (struct isakmp_gen *)cp;
 	}
 	return cp;
+trunc:
+	return NULL;
 }

 static char *
--- a/print-radius.c
+++ b/print-radius.c
@ -44,7 +44,7 @@

 #ifndef lint
 static const char rcsid[] _U_ =
-    "$Id: print-radius.c,v 1.23 2003-12-15 13:52:15 hannes Exp $";
+    "$Id: print-radius.c,v 1.24 2004-01-07 08:00:52 hannes Exp $";
 #endif

 #ifdef HAVE_CONFIG_H
@ -476,7 +476,7 @@ print_attr_string(register u_char *data, u_int length, u_short attr_code )
        break;
   }

-   for (i=0; i < length ; i++, data++)
+   for (i=0; *data && i < length ; i++, data++)
       printf("%c",(*data < 32 || *data > 128) ? '.' : *data );

   return;