From b.candler@pobox.com  Thu Mar 13 08:59:09 2003
Return-Path: <b.candler@pobox.com>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id BBA2E37B401
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 13 Mar 2003 08:59:09 -0800 (PST)
Received: from internal.mail.uk.tiscali.com (internal.mail.uk.tiscali.com [212.74.96.51])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1BCA143F93
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 13 Mar 2003 08:59:09 -0800 (PST)
	(envelope-from b.candler@pobox.com)
Received: from [10.44.66.12] (helo=bloodhound.uk.tiscali.com)
	by internal.mail.uk.tiscali.com with esmtp (Exim 4.12)
	id 18tW2t-0007Ht-00
	for FreeBSD-gnats-submit@freebsd.org; Thu, 13 Mar 2003 16:59:07 +0000
Received: from telinco by bloodhound.uk.tiscali.com with local (Exim 4.12)
	id 18tW2e-000HvP-00
	for FreeBSD-gnats-submit@freebsd.org; Thu, 13 Mar 2003 16:58:52 +0000
Message-Id: <E18tW2e-000HvP-00@bloodhound.uk.tiscali.com>
Date: Thu, 13 Mar 2003 16:58:52 +0000
From: B.Candler@pobox.com
Reply-To: B.Candler@pobox.com
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: tcpdump pointer error when decoding radius acct-status-type
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         49990
>Category:       bin
>Synopsis:       tcpdump pointer error when decoding radius acct-status-type
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Mar 13 09:00:33 PST 2003
>Closed-Date:    Thu Mar 13 13:52:19 PST 2003
>Last-Modified:  Thu Mar 13 13:52:19 PST 2003
>Originator:     B.Candler@pobox.com
>Release:        FreeBSD 4.7-RELEASE i386
>Organization:
>Environment:
System: FreeBSD bloodhound 4.7-RELEASE FreeBSD 4.7-RELEASE #0: Sat Oct 12 16:58:24 BST 2002 root@bloodhound.uk.worldonline.com:/u/src/sys/compile/BLOODHOUND i386


	
>Description:

tcpdump incorrectly decodes Acct-Status-Type in RADIUS accounting packets.
It appears to be accessing the wrong part of the packet to get a value. In
the following example it is off-by-one:

16:33:08.693992 xxxx > xxxx:  rad-account-req 183 [id 234] Attr[  Acct_status{#3076} NAS_ipaddr{... etc
0x0020   56c1 2cc3 a468 9343 866a ecbd b128 f06d        V.,..h.C.j...(.m
0x0030   2806 0000 000c 0406 xxxx xxxx xxxx xxxx        (.......P..!)...
              ^^^^^^^^^

The correct Acct-Status-Type here is 12
  28       = attribute #40
  06       = length
  0000000c = type 12 <<<

However it has been decoded as 3076 which is 00000c04

It's not just off-by-one though (e.g. in the next packet I saw
Acct_status{#507} where the sequence 00000205 exists but at an offset of 21
bytes)

	
>How-To-Repeat:

Run:
   tcpdump -i fxp0 -n -X -s1500 udp port 1813

with a suitable stream of accounting packets coming in (or use radtest)

	
>Fix:



	


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: dwmalone 
State-Changed-When: Thu Mar 13 13:38:17 PST 2003 
State-Changed-Why:  
Bill Fenner has just imported tcpdump 3.7.2 for 4.8 release, and 
there were changes to the radius parsing code, so it may now be 
fixed. If the bug persists, it probably makes sense to report it 
to the folks at tcpdump.org, so they can fix it on all platforms. 

David. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=49990 

From: Brian Candler <B.Candler@pobox.com>
To: FreeBSD-gnats-submit@FreeBSD.org, freebsd-bugs@FreeBSD.org
Cc:  
Subject: Re: bin/49990: tcpdump pointer error when decoding radius acct-status-type
Date: Thu, 13 Mar 2003 21:49:49 +0000

 My apologies. The machine I was testing was actually running FreeBSD-4.6.2
 and this problem has since been fixed, as copying a 4.7 binary onto it makes
 it work properly.
 
 Please close...
State-Changed-From-To: feedback->closed 
State-Changed-By: dwmalone 
State-Changed-When: Thu Mar 13 13:51:37 PST 2003 
State-Changed-Why:  
A tcpdump import somewhere between 4.6.2 and 4.7 fixed the problem. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=49990 
>Unformatted:
