>Number:         3882
>Category:       bin
>Synopsis:       tcpdump prints uninitialized buffer if it gets an unknown ICMP code
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    bin-bug-people (Utility Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Jul 17 14:50:01 1997
>Last-Modified:
>Originator:     Dave Huang
>Organization:
Name: Dave Huang     |   Mammal, mammal / their names are called /
INet: khym@bga.com   |   they raise a paw / the bat, the cat /
FurryMUCK: Dahan     |   dolphin and dog / koala bear and hog -- TMBG
Dahan: Hani G Y+C 21 Y++ L+++ W- C++ T++ A+ E+ S++ V++ F- Q+++ P+ B+ PA+ PL++
>Release:        NetBSD-current as of July 17, 1997
>Environment:
	
System: NetBSD dahan.metonymy.com 1.2G NetBSD 1.2G (SPIFF) #63: Tue Jul 15 19:30:39 CDT 1997 khym@dahan.metonymy.com:/usr/src.local/sys/arch/i386/compile/SPIFF i386


>Description:
If tcpdump gets an ICMP packet with a code it doesn't know about,
it'll print junk from an uninitialized buffer instead of a more useful
message.
>How-To-Repeat:
I've only seen the problem with ICMP destination unreachable, with a
code of 13, but it looks like it'd happen with other ICMP types too.

www.dejanews.com's firewall seems to send these out... here's a
tcpdump from a "ping www.dejanews.com":

tcpdump: listening on ppp0
16:06:43.759946 max1-240.aip.realtime.net > dejanews.com: icmp: echo request
16:06:44.107926 router3-128.realtime.net > max1-240.aip.realtime.net: icmp: ąŁ
@`@@LG

16:06:44.760549 max1-240.aip.realtime.net > dejanews.com: icmp: echo request
16:06:45.180210 router3-128.realtime.net > max1-240.aip.realtime.net: icmp: ąŁ
@`@@LG


>Fix:
Here's a patch with fills in the switch statements with all the codes
that I know about, and adds a default case to catch any weird packets.
Where do destination unreachable codes 13 through 15 come from
anyways? They're not in Assigned Numbers, but it seems like a lot of
routers/firewalls send out code 13. I grabbed the descriptions for
13-15 from ping.c...

--- /usr/src/usr.sbin/tcpdump/print-icmp.c	Sun Mar 16 06:31:16 1997
+++ print-icmp.c	Thu Jul 17 16:20:32 1997
@@ -135,6 +135,57 @@
 				"%s unreachable - source route failed",
 				ipaddr_string(&dp->icmp_ip.ip_dst));
 			break;
+		case ICMP_UNREACH_NET_UNKNOWN:
+			(void)sprintf(buf, "destination net %s unknown",
+			    ipaddr_string(&dp->icmp_ip.ip_dst));
+			break;
+		case ICMP_UNREACH_HOST_UNKNOWN:
+			(void)sprintf(buf, "destination host %s unknown",
+			    ipaddr_string(&dp->icmp_ip.ip_dst));
+			break;
+		case ICMP_UNREACH_ISOLATED:
+			(void)sprintf(buf,
+			    "%s unreachable - source host isolated",
+			    ipaddr_string(&dp->icmp_ip.ip_dst));
+			break;
+		case ICMP_UNREACH_NET_PROHIB:
+			(void)sprintf(buf,
+			    "communication with net %s administratively "
+			    "prohibited", ipaddr_string(&dp->icmp_ip.ip_dst));
+			break;
+		case ICMP_UNREACH_HOST_PROHIB:
+			(void)sprintf(buf,
+			    "communication with host %s administratively "
+			    "prohibited", ipaddr_string(&dp->icmp_ip.ip_dst));
+			break;
+		case ICMP_UNREACH_TOSNET:
+			(void)sprintf(buf, "net %s unreachable for TOS",
+			    ipaddr_string(&dp->icmp_ip.ip_dst));
+			break;
+		case ICMP_UNREACH_TOSHOST:
+			(void)sprintf(buf, "host %s unreachable for TOS",
+			    ipaddr_string(&dp->icmp_ip.ip_dst));
+			break;
+		case 13:
+			(void)sprintf(buf,
+			    "%s unreachable - communication prohibited",
+			    ipaddr_string(&dp->icmp_ip.ip_dst));
+			break;
+		case 14:
+			(void)sprintf(buf,
+			    "%s unreachable - host precedence violation",
+			    ipaddr_string(&dp->icmp_ip.ip_dst));
+			break;
+		case 15:
+			(void)sprintf(buf,
+			    "%s unreachable - precedence cutoff",
+			    ipaddr_string(&dp->icmp_ip.ip_dst));
+			break;
+		default:
+			(void)sprintf(buf,
+			    "%s unreachable - unknown code %d",
+			    ipaddr_string(&dp->icmp_ip.ip_dst),
+			    dp->icmp_code);
 		}
 		break;
 	case ICMP_SOURCEQUENCH:
@@ -163,6 +214,12 @@
 				       ipaddr_string(&dp->icmp_ip.ip_dst),
 				       ipaddr_string(&dp->icmp_gwaddr));
 			break;
+		default:
+			(void)sprintf(buf,
+			    "redirect-unknown code %d - %s to %s",
+			    ipaddr_string(&dp->icmp_ip.ip_dst),
+			    ipaddr_string(&dp->icmp_gwaddr));
+			break;
 		}
 		break;
 	case ICMP_ECHO:
@@ -177,6 +234,9 @@
 		case ICMP_TIMXCEED_REASS:
 			str = "ip reassembly time exceeded";
 			break;
+		default:
+			(void)sprintf(buf, "time exceeded - unknown code %d",
+			    dp->icmp_code);
 		}
 		break;
 	case ICMP_PARAMPROB:

>Audit-Trail:
>Unformatted: