[tcpdump-workers] tcpdump 4.7.4 does not detect truncated PAP AACK
Michael Haardt
michael at moria.de
Tue Dec 15 12:39:03 EST 2015
Hello,
I sent this before, but got no response. Wireshark correctly detects
truncated authentication ACKs for PAP in PPP, but tcpdump does not.
I attach a sample pcap file and a working patch, although I am not
entirely sure about the latter.
Michael
-------------- next part --------------
--- print-ppp.c.orig 2015-03-09 20:07:01.000000000 +0100
+++ print-ppp.c 2015-12-15 18:27:50.071683298 +0100
@@ -971,6 +971,13 @@
break;
case PAP_AACK:
case PAP_ANAK:
+ /* Although some implementations ignore truncation at
+ * this point and at least one generates a truncated
+ * packet, RFC 1334 section 2.2.2 clearly states that
+ * both AACK and ANAK are at least 5 bytes long.
+ */
+ if (len < 5)
+ goto trunc;
if (length - (p - p0) < 1)
return;
ND_TCHECK(*p);
More information about the tcpdump-workers
mailing list