Subject: bin/13407: tcpdump crashes trying to print certain nfs packets
To: None <gnats-bugs@gnats.netbsd.org>
From: None <dbj@netbsd.org>
List: netbsd-bugs
Date: 07/08/2001 03:30:55
>Number: 13407
>Category: bin
>Synopsis: tcpdump crashes trying to print certain nfs packets
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Jul 08 00:31:00 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator: Darrin B. Jewell
>Release: NetBSD 1.5.1, also -current updated via cvs ~20010626
>Organization:
unorganized
>Environment:
System: NetBSD rocinante.zlz.net 1.5.1 NetBSD 1.5.1 (ROCINANTE) #7: Mon Jun 18 03:37:42 EDT 2001 dbj@rocinante.zlz.net:/u0/usr/src/sys/arch/i386/compile/ROCINANTE i386
>Description:
While trying to debug macosX as an nfs client, I observed that
tcpdump would repeatably coredump trying to print out certain packets.
Note that since tcpdump is often run as a diagnostic utility examining
rogue network packets, this has some security implications.
>How-To-Repeat:
Run the command:
tcpdump -r broken-nfs.tcpdump
on the raw tcpdump capture included below uuencoded:
begin 664 broken-nfs.tcpdump
MU,.RH0(`!````````````-`'```!````@`=(.U.]#`"2````D@``````^'K[
MY0`%`G>UPP@`10``A`@H``!`$:[<P*@A$\"H(0'`'0@!`'`>87Q2(!$`````
M`````@`!AJ,````#````!`````$````<``````````````%-````%`````(`
M````````4```````````````'`````"+!P``#`````(```"19@5_````````
M```````_@`=(.QV^#`!"````0@`````%`G>UPP``^'K[Y0@`10``-(7G``!`
K$3%MP*@A`<"H(1,(`<`=`"#7OGQ2(!$````!`````0````$````%``````!`
`
end
>Fix:
This patch fixes the instance of the problem
discovered above. I have not reviewed the rest of the tcpdump code to
see if a problem of this form exists elsewhere.
Index: print-nfs.c
===================================================================
RCS file: /cvsroot/basesrc/dist/tcpdump/print-nfs.c,v
retrieving revision 1.2
diff -u -r1.2 print-nfs.c
--- print-nfs.c 2001/06/25 19:59:59 1.2
+++ print-nfs.c 2001/07/08 07:29:35
@@ -1494,7 +1494,8 @@
case NFSPROC_ACCESS:
printf(" access");
- dp = parserep(rp, length);
+ if (!(dp = parserep(rp, length)))
+ break;
if (!(dp = parsestatus(dp, &er)))
break;
if (vflag)
>Release-Note:
>Audit-Trail:
>Unformatted: