[tcpdump-workers] tcpdump 4.7.4 does not detect truncated PAP AACK

Michael Haardt michael at moria.de
Tue Dec 15 12:39:03 EST 2015


Hello,

I sent this before, but got no response.  Wireshark correctly detects
truncated authentication ACKs for PAP in PPP, but tcpdump does not.

I attach a sample pcap file and a working patch, although I am not
entirely sure about the latter.

Michael
-------------- next part --------------
--- print-ppp.c.orig	2015-03-09 20:07:01.000000000 +0100
+++ print-ppp.c	2015-12-15 18:27:50.071683298 +0100
@@ -971,6 +971,13 @@
 		break;
 	case PAP_AACK:
 	case PAP_ANAK:
+                /* Although some implementations ignore truncation at
+                 * this point and at least one generates a truncated
+                 * packet, RFC 1334 section 2.2.2 clearly states that
+                 * both AACK and ANAK are at least 5 bytes long.
+                 */
+                if (len < 5)
+                        goto trunc;
 		if (length - (p - p0) < 1)
 			return;
 		ND_TCHECK(*p);


More information about the tcpdump-workers mailing list