From mohacsi@scone.ki.iif.hu  Thu Jan 20 12:15:44 2005
Return-Path: <mohacsi@scone.ki.iif.hu>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3637716A4CF
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 20 Jan 2005 12:15:44 +0000 (GMT)
Received: from scone.ki.iif.hu (scone.ki.iif.hu [193.6.222.31])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 79F2643D31
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 20 Jan 2005 12:15:43 +0000 (GMT)
	(envelope-from mohacsi@scone.ki.iif.hu)
Received: (from mohacsi@localhost)
	by scone.ki.iif.hu (8.13.1/8.13.1) id j0KCEf8u013594;
	Thu, 20 Jan 2005 13:14:41 +0100 (CET)
	(envelope-from mohacsi)
Message-Id: <200501201214.j0KCEf8u013594@scone.ki.iif.hu>
Date: Thu, 20 Jan 2005 13:14:41 +0100 (CET)
From: Janos Mohacsi <mohacsi@niif.hu>
Reply-To: Janos Mohacsi <janos.mohacsi@bsd.hu>
To: FreeBSD-gnats-submit@freebsd.org
Cc: matthias.andree@web.de
Subject: tcpdump dumps core on ppp ipv6cp packets
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         76497
>Category:       bin
>Synopsis:       tcpdump dumps core on ppp ipv6cp packets
>Confidential:   no
>Severity:       non-critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jan 20 12:20:26 GMT 2005
>Closed-Date:    Sat Feb 09 13:12:21 UTC 2008
>Last-Modified:  Sat Feb 09 13:12:21 UTC 2008
>Originator:     Janos Mohacsi
>Release:        FreeBSD 5.3-STABLE i386
>Organization:
NIIF/HUNGARNET
>Environment:
System: FreeBSD scone.ki.iif.hu 5.3-STABLE FreeBSD 5.3-STABLE #5: Thu Nov 11 05:45:29 CET 2004 root@scone.ki.iif.hu:/usr/obj/usr/src/sys/SCONE i386

>Description:
	tcpdumps dumps core on the ip6cp packets. On FreeBSD 5.3 the ip6cp packet dumps core while on FreeBSD 4.9 says:
	07:34:56.393507 PPPoE  [ses 0xddfb]

	FreeBSD 5.3 uses: tcpdump 3.8.3
	FreeBSD 4.9 uses: tcpdump 3.7.2

	probably this has been already reported in pr=71453

>How-To-Repeat:
	Try to read into the tcpdump the attached uuencoded ip6cp packet.


begin 644 ip6cp_packet
MU,.RH0(`!````````````/__```!````$%'O02,!!@`\````/``````"/SM!
M^@`*0DOL'(AD$0#=^P`0@%<!`0`.`0H``````````0``````````````````
*````````````````
`
end

>Fix:
Import basic ipv6cp support from: 
http://cvs.tcpdump.org/cgi-bin/cvsweb/tcpdump/print-ppp.c?r1=1.102&r2=1.103



>Release-Note:
>Audit-Trail:

From: Giorgos Keramidas <keramida@freebsd.org>
To: Janos Mohacsi <janos.mohacsi@bsd.hu>
Cc: bug-followup@freebsd.org, matthias.andree@web.de
Subject: Re: bin/76497: tcpdump dumps core on ppp ipv6cp packets
Date: Thu, 20 Jan 2005 19:29:15 +0200

 On 2005-01-20 13:14, Janos Mohacsi <mohacsi@niif.hu> wrote:
 > Try to read into the tcpdump the attached uuencoded ip6cp packet.
 >
 > begin 644 ip6cp_packet
 > MU,.RH0(`!````````````/__```!````$%'O02,!!@`\````/``````"/SM!
 > M^@`*0DOL'(AD$0#=^P`0@%<!`0`.`0H``````````0``````````````````
 > *````````````````
 > `
 > end
 
 True!
 
 This makes tcpdump segfault in CURRENT too.  Building an unstripped,
 debug version of tcpdump gives:
 
 % (gdb) bt
 % #0  0x00000000 in ?? ()
 % #1  0x0806d194 in handle_ctrl_proto (proto=32855, pptr=0x8184018 "\001\001", length=14)
 %     at /usr/src/usr.sbin/tcpdump/tcpdump/../../../contrib/tcpdump/print-ppp.c:447
 % #2  0x0806e477 in handle_ppp (proto=0, p=0x8184018 "\001\001", length=14)
 %     at /usr/src/usr.sbin/tcpdump/tcpdump/../../../contrib/tcpdump/print-ppp.c:1064
 % #3  0x0806e5fb in ppp_print (p=0x8184018 "\001\001", length=14)
 %     at /usr/src/usr.sbin/tcpdump/tcpdump/../../../contrib/tcpdump/print-ppp.c:1146
 % #4  0x0806eac0 in pppoe_print (bp=0x8184010 "\021", length=46)
 %     at /usr/src/usr.sbin/tcpdump/tcpdump/../../../contrib/tcpdump/print-pppoe.c:212
 % #5  0x0805aacf in ether_encap_print (ether_type=34916, p=0x8184010 "\021", length=46, caplen=46, extracted_ether_type=0xbfbfe73a)
 %     at /usr/src/usr.sbin/tcpdump/tcpdump/../../../contrib/tcpdump/print-ether.c:257
 % #6  0x0805a5e1 in ether_print (p=0x8184010 "\021", length=46, caplen=46)
 %     at /usr/src/usr.sbin/tcpdump/tcpdump/../../../contrib/tcpdump/print-ether.c:142
 % #7  0x0805a723 in ether_if_print (h=0x0, p=0x8184002 "")
 %     at /usr/src/usr.sbin/tcpdump/tcpdump/../../../contrib/tcpdump/print-ether.c:162
 % #8  0x08083724 in print_packet (user=0x0, h=0xbfbfe7e0, sp=0x8184002 "")
 %     at /usr/src/usr.sbin/tcpdump/tcpdump/../../../contrib/tcpdump/tcpdump.c:1010
 % #9  0x280d69a6 in pcap_offline_read () from /usr/lib/libpcap.so.3
 % #10 0x280e2750 in pcap_loop () from /usr/lib/libpcap.so.3
 % #11 0x0808321f in main (argc=3, argv=0x80836f0) at /usr/src/usr.sbin/tcpdump/tcpdump/../../../contrib/tcpdump/tcpdump.c:803
 

From: Giorgos Keramidas <keramida@freebsd.org>
To: Janos Mohacsi <janos.mohacsi@bsd.hu>
Cc: bug-followup@freebsd.org, matthias.andree@web.de
Subject: Re: bin/76497: tcpdump dumps core on ppp ipv6cp packets
Date: Thu, 20 Jan 2005 19:36:54 +0200

 On 2005-01-20 19:29, Giorgos Keramidas <keramida@freebsd.org> wrote:
 > % (gdb) bt
 > % #0  0x00000000 in ?? ()
 > % #1  0x0806d194 in handle_ctrl_proto (proto=32855, pptr=0x8184018 "\001\001", length=14)
 > %     at /usr/src/usr.sbin/tcpdump/tcpdump/../../../contrib/tcpdump/print-ppp.c:447
 
 The following patch fixed the crash for me.  At line 444, pfunc is set
 to NULL for unknown types of packets, but it isn't checked against
 NULL at line 447, so an attempt to call a function at address NULL is
 made (this is shown as the address of the last function called in the
 stack trace above).
 
 %%%
 Index: print-ppp.c
 ===================================================================
 RCS file: /home/ncvs/src/contrib/tcpdump/print-ppp.c,v
 retrieving revision 1.13
 diff -u -r1.13 print-ppp.c
 --- print-ppp.c	31 Mar 2004 14:57:24 -0000	1.13
 +++ print-ppp.c	20 Jan 2005 17:31:33 -0000
 @@ -444,7 +444,7 @@
  				pfunc = NULL;
  				break;
  			}
 -			if ((j = (*pfunc)(tptr, len)) == 0)
 +			if (pfunc == NULL || (j = (*pfunc)(tptr, len)) == 0)
  				break;
  			x -= j;
  			tptr += j;
 %%%

From: Mohacsi Janos <mohacsi@niif.hu>
To: Giorgos Keramidas <keramida@freebsd.org>
Cc: Janos Mohacsi <janos.mohacsi@bsd.hu>, bug-followup@freebsd.org,
	matthias.andree@web.de
Subject: Re: bin/76497: tcpdump dumps core on ppp ipv6cp packets
Date: Thu, 20 Jan 2005 18:42:01 +0100 (CET)

 The problem lies in the logic of the print-ppp. If it does not found a 
 suitable protocol switch default sets the decoding function (pfunc) to 
 NULL and then call it. The latest CVS version of print-ppp.c of tcpdump 
 already handles ipv6cp properly and catches null pointer if unknown CP is 
 found.
 
 
 
 On Thu, 20 Jan 2005, Giorgos Keramidas wrote:
 
 > On 2005-01-20 13:14, Janos Mohacsi <mohacsi@niif.hu> wrote:
 >> Try to read into the tcpdump the attached uuencoded ip6cp packet.
 >>
 >> begin 644 ip6cp_packet
 >> MU,.RH0(`!````````````/__```!````$%'O02,!!@`\````/``````"/SM!
 >> M^@`*0DOL'(AD$0#=^P`0@%<!`0`.`0H``````````0``````````````````
 >> *````````````````
 >> `
 >> end
 >
 > True!
 >
 > This makes tcpdump segfault in CURRENT too.  Building an unstripped,
 > debug version of tcpdump gives:
 >
 > % (gdb) bt
 > % #0  0x00000000 in ?? ()
 > % #1  0x0806d194 in handle_ctrl_proto (proto=32855, pptr=0x8184018 "\001\001", length=14)
 > %     at /usr/src/usr.sbin/tcpdump/tcpdump/../../../contrib/tcpdump/print-ppp.c:447
 > % #2  0x0806e477 in handle_ppp (proto=0, p=0x8184018 "\001\001", length=14)
 > %     at /usr/src/usr.sbin/tcpdump/tcpdump/../../../contrib/tcpdump/print-ppp.c:1064
 > % #3  0x0806e5fb in ppp_print (p=0x8184018 "\001\001", length=14)
 > %     at /usr/src/usr.sbin/tcpdump/tcpdump/../../../contrib/tcpdump/print-ppp.c:1146
 > % #4  0x0806eac0 in pppoe_print (bp=0x8184010 "\021", length=46)
 > %     at /usr/src/usr.sbin/tcpdump/tcpdump/../../../contrib/tcpdump/print-pppoe.c:212
 > % #5  0x0805aacf in ether_encap_print (ether_type=34916, p=0x8184010 "\021", length=46, caplen=46, extracted_ether_type=0xbfbfe73a)
 > %     at /usr/src/usr.sbin/tcpdump/tcpdump/../../../contrib/tcpdump/print-ether.c:257
 > % #6  0x0805a5e1 in ether_print (p=0x8184010 "\021", length=46, caplen=46)
 > %     at /usr/src/usr.sbin/tcpdump/tcpdump/../../../contrib/tcpdump/print-ether.c:142
 > % #7  0x0805a723 in ether_if_print (h=0x0, p=0x8184002 "")
 > %     at /usr/src/usr.sbin/tcpdump/tcpdump/../../../contrib/tcpdump/print-ether.c:162
 > % #8  0x08083724 in print_packet (user=0x0, h=0xbfbfe7e0, sp=0x8184002 "")
 > %     at /usr/src/usr.sbin/tcpdump/tcpdump/../../../contrib/tcpdump/tcpdump.c:1010
 > % #9  0x280d69a6 in pcap_offline_read () from /usr/lib/libpcap.so.3
 > % #10 0x280e2750 in pcap_loop () from /usr/lib/libpcap.so.3
 > % #11 0x0808321f in main (argc=3, argv=0x80836f0) at /usr/src/usr.sbin/tcpdump/tcpdump/../../../contrib/tcpdump/tcpdump.c:803
 >
 >
 
 Janos Mohacsi
 Network Engineer, Research Associate
 NIIF/HUNGARNET, HUNGARY
 Key 00F9AF98: 8645 1312 D249 471B DBAE  21A2 9F52 0D1F 00F9 AF98
 

From: Giorgos Keramidas <keramida@freebsd.org>
To: Matthias Andree <matthias.andree@web.de>
Cc: Janos Mohacsi <janos.mohacsi@bsd.hu>, bug-followup@freebsd.org
Subject: Re: bin/76497: tcpdump dumps core on ppp ipv6cp packets
Date: Thu, 20 Jan 2005 19:59:33 +0200

 On 2005-01-20 18:50, Matthias Andree <matthias.andree@web.de> wrote:
 >Giorgos Keramidas wrote:
 >>On 2005-01-20 13:14, Janos Mohacsi <mohacsi@niif.hu> wrote:
 >>> Try to read into the tcpdump the attached uuencoded ip6cp packet.
 >>>
 >>> begin 644 ip6cp_packet
 >>> MU,.RH0(`!````````````/__```!````$%'O02,!!@`\````/``````"/SM!
 >>> M^@`*0DOL'(AD$0#=^P`0@%<!`0`.`0H``````````0``````````````````
 >>> *````````````````
 >>> `
 >>> end
 >>
 >> This makes tcpdump segfault in CURRENT too.  Building an unstripped,
 >> debug version of tcpdump gives:
 >
 > Wasn't this already patched for FreeBSD 5? If so, why not just merge
 > 5->4 or import the patch from the vendor repo?
 
 The bug is there in RELENG_5 too.  I had a CURRENT workstation near so
 I tested things on 6.X, but the HEAD revision of print-ppp.c is the
 same as the one on RELENG_5.
 

From: Matthias Andree <matthias.andree@web.de>
To: Giorgos Keramidas <keramida@freebsd.org>
Cc: Janos Mohacsi <janos.mohacsi@bsd.hu>, bug-followup@freebsd.org
Subject: Re: bin/76497: tcpdump dumps core on ppp ipv6cp packets
Date: Thu, 20 Jan 2005 18:50:16 +0100

 Giorgos Keramidas wrote:
 > On 2005-01-20 13:14, Janos Mohacsi <mohacsi@niif.hu> wrote:
 >>Try to read into the tcpdump the attached uuencoded ip6cp packet.
 >>
 >>begin 644 ip6cp_packet
 >>MU,.RH0(`!````````````/__```!````$%'O02,!!@`\````/``````"/SM!
 >>M^@`*0DOL'(AD$0#=^P`0@%<!`0`.`0H``````````0``````````````````
 >>*````````````````
 >>`
 >>end
 > 
 > True!
 > 
 > This makes tcpdump segfault in CURRENT too.  Building an unstripped,
 > debug version of tcpdump gives:
 
 Wasn't this already patched for FreeBSD 5? If so, why not just merge 
 5->4 or import the patch from the vendor repo?

From: Matthias Andree <matthias.andree@gmx.de>
To: freebsd-gnats-submit@FreeBSD.org, janos.mohacsi@bsd.hu
Cc:  
Subject: Re: bin/76497: tcpdump dumps core on ppp ipv6cp packets
Date: Sun, 23 Jan 2005 18:03:01 +0100

 Now that bin/71453 (the older PR) has been closed as "duplicate" (that 
 was backwards but anyways), a more immediate bug fix might be the import of
 
  http://cvs.tcpdump.org/cgi-bin/cvsweb/tcpdump/print-ppp.c?r1=1.89.2.3&r2=1.89.2.4 <http://cvs.tcpdump.org/cgi-bin/cvsweb/tcpdump/print-ppp.c?r1=1.89.2.3%26r2=1.89.2.4>
 
 which may be less intrusive.
 
State-Changed-From-To: open->patched 
State-Changed-By: bms 
State-Changed-When: Mon Jan 24 14:56:48 GMT 2005 
State-Changed-Why:  
This fix has been committed to the tcpdump port, and an appropriate 
fix has been committed to tcpdump in HEAD, pending MFC/MT4. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=76497 

From: janos.mohacsi@bsd.hu
To: bug-followup@FreeBSD.org, janos.mohacsi@bsd.hu
Cc:  
Subject: Re: bin/76497: tcpdump dumps core on ppp ipv6cp pack
Date: Fri, 15 Apr 2005 11:51:00 +0200 (CEST)

 You can close this PR. It has been resolved.
 
State-Changed-From-To: patched->closed 
State-Changed-By: linimon 
State-Changed-When: Fri Apr 15 12:17:35 GMT 2005 
State-Changed-Why:  
Submitter notes problem has been resolved. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=76497 
State-Changed-From-To: closed->patched 
State-Changed-By: linimon 
State-Changed-When: Fri Apr 15 12:19:19 GMT 2005 
State-Changed-Why:  
A subsequent poster notes that the MFC is not yet done, so I should have 
left this alone. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=76497 

From: Gavin Atkinson <gavin.atkinson@ury.york.ac.uk>
To: bug-followup@FreeBSD.org, janos.mohacsi@bsd.hu
Cc: bms@FreeBSD.org
Subject: Re: bin/76497: tcpdump dumps core on ppp ipv6cp packets
Date: Tue, 01 May 2007 13:47:22 +0100

 This was fixed by bms in src/contrib/tcpdump/print-ppp.c 1.14 and is
 fixed in all 6.x releases, but was never MFC'd.  Somebody needs to
 determine if a DoS in FreeBSD 5.x tcpdump is worth fixing, and either
 MFC or close this PR.
State-Changed-From-To: patched->closed 
State-Changed-By: remko 
State-Changed-When: Sat Feb 9 13:12:20 UTC 2008 
State-Changed-Why:  
This needs MFC to RELENG_5, though I would like people facing this to 
encourage them to use FreeBSD-6 and/or FreeBSD-7 (preferred) since in 
the not too long future REL_5 will no longer be supported. Close the 
ticket for those reasons 

http://www.freebsd.org/cgi/query-pr.cgi?pr=76497 
>Unformatted:
