Date: Thu, 20 Jan 2005 17:40:29 GMT From: Giorgos Keramidas <keramida@freebsd.org> To: freebsd-bugs@FreeBSD.org Subject: Re: bin/76497: tcpdump dumps core on ppp ipv6cp packets Message-ID: <200501201740.j0KHeT40045638@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/76497; it has been noted by GNATS. From: Giorgos Keramidas <keramida@freebsd.org> To: Janos Mohacsi <janos.mohacsi@bsd.hu> Cc: bug-followup@freebsd.org, matthias.andree@web.de Subject: Re: bin/76497: tcpdump dumps core on ppp ipv6cp packets Date: Thu, 20 Jan 2005 19:36:54 +0200 On 2005-01-20 19:29, Giorgos Keramidas <keramida@freebsd.org> wrote: > % (gdb) bt > % #0 0x00000000 in ?? () > % #1 0x0806d194 in handle_ctrl_proto (proto=32855, pptr=0x8184018 "\001\001", length=14) > % at /usr/src/usr.sbin/tcpdump/tcpdump/../../../contrib/tcpdump/print-ppp.c:447 The following patch fixed the crash for me. At line 444, pfunc is set to NULL for unknown types of packets, but it isn't checked against NULL at line 447, so an attempt to call a function at address NULL is made (this is shown as the address of the last function called in the stack trace above). %%% Index: print-ppp.c =================================================================== RCS file: /home/ncvs/src/contrib/tcpdump/print-ppp.c,v retrieving revision 1.13 diff -u -r1.13 print-ppp.c --- print-ppp.c 31 Mar 2004 14:57:24 -0000 1.13 +++ print-ppp.c 20 Jan 2005 17:31:33 -0000 @@ -444,7 +444,7 @@ pfunc = NULL; break; } - if ((j = (*pfunc)(tptr, len)) == 0) + if (pfunc == NULL || (j = (*pfunc)(tptr, len)) == 0) break; x -= j; tptr += j; %%%
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200501201740.j0KHeT40045638>