tcptrace-bugs possible bug in tcpdump.c

From: Marco Mellia (mellia@prezzemolo.polito.it)
Date: 07/26/04

• Next message: snt.victor@tiscali.it: "tcptrace-bugs private"
• Previous message: TSI: "tcptrace-bugs Market News: (MXES) Profit from Rising Gas Prices"
• Next in thread: Manikantan Ramadas: "Re: tcptrace-bugs possible bug in tcpdump.c"
• Reply: Manikantan Ramadas: "Re: tcptrace-bugs possible bug in tcpdump.c"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Marco Mellia <mellia@prezzemolo.polito.it>
Subject: tcptrace-bugs possible bug in tcpdump.c
Date: Mon, 26 Jul 2004 17:30:11 +0200
Message-Id: <200407261730.11835.mellia@mail.tlc.polito.it>

While using part of tcptrace source for our tool tstat, I found a possible bug
in the libpcap routines:
in the callback function, a memcpy is issued to copy the captured IP packet
into the local ip_buf buffer.
The problem is that you start copying after the libpcap headers (identified by
the "offset" value), but you then copy the whole capture packet.
While this is usually a problem (since we are reading from garbage and copying
to a very large buffer), it may cause problems when interpreting the bytes of
the headers in case of short snapshots.

To correct the bug, simply do something like

      iplen -= offset;

when you got the correct offset value.

For example,
(to be repeated everytime you do a memcpy of iplen size...)
-----------
    case PCAP_DLT_EN10MB:
      offset = find_ip_eth (buf); /* Here we check if we are dealing with
                                        Straight Ethernet encapsulation or PPPoE */
      memcpy (&eth_header, buf, EH_SIZE); /* save ether header */
      switch (offset)
        {
        case -1: /* Not an IP packet */
          return (-1);
        case EH_SIZE: /* straight Ethernet encapsulation */
          memcpy ((char *) ip_buf, buf + offset, iplen);
          callback_plast = ip_buf + iplen - offset - 1;
.
.
.
----------------
to
----------------
    case PCAP_DLT_EN10MB:
      offset = find_ip_eth (buf); /* Here we check if we are dealing with
                                        Straight Ethernet encapsulation or PPPoE */

      iplen -= offset;

      memcpy (&eth_header, buf, EH_SIZE); /* save ether header */
      switch (offset)
        {
        case -1: /* Not an IP packet */
          return (-1);
        case EH_SIZE: /* straight Ethernet encapsulation */
          memcpy ((char *) ip_buf, buf + offset, iplen);
          callback_plast = ip_buf + iplen - offset - 1;
          break;
.
.
.
-------------------------

Hope this helps

-- 
Ciao,                    /\/\/\rco
+-----------------------------------+  
| Marco Mellia - Assistant Professor|
| Tel: 39-011-2276-608              |
| Tel: 39-011-564-4173              |
| Cel: 39-340-9674888               |   /"\  .. . . . . . . . . . . . .
| Politecnico di Torino             |   \ /  . ASCII Ribbon Campaign  .
| Corso Duca degli Abruzzi 24       |    X   .- NO HTML/RTF in e-mail .
| Torino - 10129 - Italy            |   / \  .- NO Word docs in e-mail.
| http://www1.tlc.polito.it/mellia  |        .. . . . . . . . . . . . .
+-----------------------------------+
The box said "Requires Windows 95 or Better." So I installed Linux.

• Next message: snt.victor@tiscali.it: "tcptrace-bugs private"
• Previous message: TSI: "tcptrace-bugs Market News: (MXES) Profit from Rising Gas Prices"
• Next in thread: Manikantan Ramadas: "Re: tcptrace-bugs possible bug in tcpdump.c"
• Reply: Manikantan Ramadas: "Re: tcptrace-bugs possible bug in tcpdump.c"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : 07/26/04 EDT