From owner-freebsd-bugs@FreeBSD.ORG  Thu Jan 20 17:40:29 2005
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A4E8A16A4CE
	for <freebsd-bugs@hub.freebsd.org>;
	Thu, 20 Jan 2005 17:40:29 +0000 (GMT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8AD1643D58
	for <freebsd-bugs@hub.freebsd.org>;
	Thu, 20 Jan 2005 17:40:29 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.1/8.13.1) with ESMTP id j0KHeTli045639
	for <freebsd-bugs@freefall.freebsd.org>; Thu, 20 Jan 2005 17:40:29 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.1/8.13.1/Submit) id j0KHeT40045638;
	Thu, 20 Jan 2005 17:40:29 GMT
	(envelope-from gnats)
Date: Thu, 20 Jan 2005 17:40:29 GMT
Message-Id: <200501201740.j0KHeT40045638@freefall.freebsd.org>
To: freebsd-bugs@FreeBSD.org
From: Giorgos Keramidas <keramida@freebsd.org>
Subject: Re: bin/76497: tcpdump dumps core on ppp ipv6cp packets
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Giorgos Keramidas <keramida@freebsd.org>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jan 2005 17:40:29 -0000

The following reply was made to PR bin/76497; it has been noted by GNATS.

From: Giorgos Keramidas <keramida@freebsd.org>
To: Janos Mohacsi <janos.mohacsi@bsd.hu>
Cc: bug-followup@freebsd.org, matthias.andree@web.de
Subject: Re: bin/76497: tcpdump dumps core on ppp ipv6cp packets
Date: Thu, 20 Jan 2005 19:36:54 +0200

 On 2005-01-20 19:29, Giorgos Keramidas <keramida@freebsd.org> wrote:
 > % (gdb) bt
 > % #0  0x00000000 in ?? ()
 > % #1  0x0806d194 in handle_ctrl_proto (proto=32855, pptr=0x8184018 "\001\001", length=14)
 > %     at /usr/src/usr.sbin/tcpdump/tcpdump/../../../contrib/tcpdump/print-ppp.c:447
 
 The following patch fixed the crash for me.  At line 444, pfunc is set
 to NULL for unknown types of packets, but it isn't checked against
 NULL at line 447, so an attempt to call a function at address NULL is
 made (this is shown as the address of the last function called in the
 stack trace above).
 
 %%%
 Index: print-ppp.c
 ===================================================================
 RCS file: /home/ncvs/src/contrib/tcpdump/print-ppp.c,v
 retrieving revision 1.13
 diff -u -r1.13 print-ppp.c
 --- print-ppp.c	31 Mar 2004 14:57:24 -0000	1.13
 +++ print-ppp.c	20 Jan 2005 17:31:33 -0000
 @@ -444,7 +444,7 @@
  				pfunc = NULL;
  				break;
  			}
 -			if ((j = (*pfunc)(tptr, len)) == 0)
 +			if (pfunc == NULL || (j = (*pfunc)(tptr, len)) == 0)
  				break;
  			x -= j;
  			tptr += j;
 %%%