diff options
| author | hannes <hannes> | 2004-01-07 08:00:51 +0000 |
|---|---|---|
| committer | hannes <hannes> | 2004-01-07 08:00:51 +0000 |
| commit | e0d20f2c0824412b64738c6fa14f87bc8d0ef54d (patch) | |
| tree | 81b81bbdd74092247b0219bb5bf88bf2e1ee51b5 /print-radius.c | |
| parent | de464d5e30af607532a416432695415b1c0a8de5 (diff) | |
| download | tcpdump-e0d20f2c0824412b64738c6fa14f87bc8d0ef54d.tar.gz | |
bugfix from Jonathan Heusser <jonny@drugphish.ch>
The first critical piece of code is found in print-isakmp.c:332. The
function rawprint() does not check its arguments thus it's easy for
an attacker to pass a big 'len' or a bogus 'loc' leading to a
segmentation fault in the for loop.
The second bug is located in print-radius.c:471. The for loop of
print_attr_string() is written in an unsafe manner. 'length'
and 'data' should be checked.
Diffstat (limited to 'print-radius.c')
| -rw-r--r-- | print-radius.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/print-radius.c b/print-radius.c index 577a327f..d388a8f1 100644 --- a/print-radius.c +++ b/print-radius.c @@ -44,7 +44,7 @@ #ifndef lint static const char rcsid[] _U_ = - "$Id: print-radius.c,v 1.23 2003-12-15 13:52:15 hannes Exp $"; + "$Id: print-radius.c,v 1.24 2004-01-07 08:00:52 hannes Exp $"; #endif #ifdef HAVE_CONFIG_H @@ -476,7 +476,7 @@ print_attr_string(register u_char *data, u_int length, u_short attr_code ) break; } - for (i=0; i < length ; i++, data++) + for (i=0; *data && i < length ; i++, data++) printf("%c",(*data < 32 || *data > 128) ? '.' : *data ); return; |