From: Manikantan Ramadas (mramadas@masaka.cs.ohiou.edu)
Date: 10/07/04
Date: Thu, 7 Oct 2004 16:09:54 -0400 From: Manikantan Ramadas <mramadas@masaka.cs.ohiou.edu> Subject: Re: tcptrace-bugs possible bug in tcpdump.c Message-ID: <20041007200954.GA16544@masaka.cs.ohiou.edu>
Hi!
Thanks for sending us this bug report. I have patched tcptrace with
proper bounds checking now. You may get it from the CVS pserver off of
the tcptrace web-page if you are interested.
Thanks again,
Mani.
On Mon, Jul 26, 2004 at 05:30:11PM +0200, Marco Mellia wrote:
> While using part of tcptrace source for our tool tstat, I found a possible bug
> in the libpcap routines:
> in the callback function, a memcpy is issued to copy the captured IP packet
> into the local ip_buf buffer.
> The problem is that you start copying after the libpcap headers (identified by
> the "offset" value), but you then copy the whole capture packet.
> While this is usually a problem (since we are reading from garbage and copying
> to a very large buffer), it may cause problems when interpreting the bytes of
> the headers in case of short snapshots.
>
> To correct the bug, simply do something like
>
> iplen -= offset;
>
> when you got the correct offset value.
>
> For example,
> (to be repeated everytime you do a memcpy of iplen size...)
> -----------
> case PCAP_DLT_EN10MB:
> offset = find_ip_eth (buf); /* Here we check if we are dealing with
> Straight Ethernet encapsulation or PPPoE */
> memcpy (ð_header, buf, EH_SIZE); /* save ether header */
> switch (offset)
> {
> case -1: /* Not an IP packet */
> return (-1);
> case EH_SIZE: /* straight Ethernet encapsulation */
> memcpy ((char *) ip_buf, buf + offset, iplen);
> callback_plast = ip_buf + iplen - offset - 1;
> .
> .
> .
> ----------------
> to
> ----------------
> case PCAP_DLT_EN10MB:
> offset = find_ip_eth (buf); /* Here we check if we are dealing with
> Straight Ethernet encapsulation or PPPoE */
>
> iplen -= offset;
>
> memcpy (ð_header, buf, EH_SIZE); /* save ether header */
> switch (offset)
> {
> case -1: /* Not an IP packet */
> return (-1);
> case EH_SIZE: /* straight Ethernet encapsulation */
> memcpy ((char *) ip_buf, buf + offset, iplen);
> callback_plast = ip_buf + iplen - offset - 1;
> break;
> .
> .
> .
> -------------------------
>
> Hope this helps
>
>
> --
> Ciao, /\/\/\rco
>
> +-----------------------------------+
> | Marco Mellia - Assistant Professor|
> | Tel: 39-011-2276-608 |
> | Tel: 39-011-564-4173 |
> | Cel: 39-340-9674888 | /"\ .. . . . . . . . . . . . .
> | Politecnico di Torino | \ / . ASCII Ribbon Campaign .
> | Corso Duca degli Abruzzi 24 | X .- NO HTML/RTF in e-mail .
> | Torino - 10129 - Italy | / \ .- NO Word docs in e-mail.
> | http://www1.tlc.polito.it/mellia | .. . . . . . . . . . . . .
> +-----------------------------------+
> The box said "Requires Windows 95 or Better." So I installed Linux.
-- "'Beauty is truth, truth beauty,'--that is all Ye know on earth, and all ye need to know." - John Keats ____________________________________________________________________ * Manikantan Ramadas * IRG, OU * http://irg.cs.ohiou.edu/~mramadas * ____________________________________________________________________
This archive was generated by hypermail 2.1.7 : 10/08/04 EDT