netbsd-bugs: bin/13407: tcpdump crashes trying to print certain nfs packets

Subject: bin/13407: tcpdump crashes trying to print certain nfs packets
To: None <gnats-bugs@gnats.netbsd.org>
From: None <dbj@netbsd.org>
List: netbsd-bugs
Date: 07/08/2001 03:30:55

>Number:         13407
>Category:       bin
>Synopsis:       tcpdump crashes trying to print certain nfs packets
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Jul 08 00:31:00 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:     Darrin B. Jewell
>Release:        NetBSD 1.5.1, also -current updated via cvs ~20010626
>Organization:
unorganized
>Environment:
	
System: NetBSD rocinante.zlz.net 1.5.1 NetBSD 1.5.1 (ROCINANTE) #7: Mon Jun 18 03:37:42 EDT 2001 dbj@rocinante.zlz.net:/u0/usr/src/sys/arch/i386/compile/ROCINANTE i386

>Description:

While trying to debug macosX as an nfs client, I observed that
tcpdump would repeatably coredump trying to print out certain packets.

Note that since tcpdump is often run as a diagnostic utility examining
rogue network packets, this has some security implications.

>How-To-Repeat:

Run the command:
tcpdump -r broken-nfs.tcpdump
on the raw tcpdump capture included below uuencoded:

begin 664 broken-nfs.tcpdump
MU,.RH0(`!````````````-`'```!````@`=(.U.]#`"2````D@``````^'K[
MY0`%`G>UPP@`10``A`@H``!`$:[<P*@A$\"H(0'`'0@!`'`>87Q2(!$`````
M`````@`!AJ,````#````!`````$````<``````````````%-````%`````(`
M````````4```````````````'`````"+!P``#`````(```"19@5_````````
M```````_@`=(.QV^#`!"````0@`````%`G>UPP``^'K[Y0@`10``-(7G``!`
K$3%MP*@A`<"H(1,(`<`=`"#7OGQ2(!$````!`````0````$````%``````!`
`
end

>Fix:

This patch fixes the instance of the problem
discovered above.  I have not reviewed the rest of the tcpdump code to
see if a problem of this form exists elsewhere.

Index: print-nfs.c
===================================================================
RCS file: /cvsroot/basesrc/dist/tcpdump/print-nfs.c,v
retrieving revision 1.2
diff -u -r1.2 print-nfs.c
--- print-nfs.c 2001/06/25 19:59:59     1.2
+++ print-nfs.c 2001/07/08 07:29:35
@@ -1494,7 +1494,8 @@
 
        case NFSPROC_ACCESS:
                printf(" access");
-               dp = parserep(rp, length);
+               if (!(dp = parserep(rp, length)))
+                       break;
                if (!(dp = parsestatus(dp, &er)))
                        break;
                if (vflag)
>Release-Note:
>Audit-Trail:
>Unformatted: