From: Matthew Franz [mailto:mfranz@xxxxxxxxx]
Sent: Tuesday, December 12, 2000 3:04 PM
> >
> > which version of Ethereal are you referring to with your statement? Also
> > sample packets or traces that demonstrate the problem would be most
> > welcome. Thanks for your help.
> >
>
> Regarding DNS, I was doing things like (this didn't crash it)
>
> # sendip 192.168.0.1 -is 192.168.0.50 -p UDP -us 53 -ul 100 -ud 53 -d
> aabbccdd
>
> 09:30:20.215437 192.168.0.50.53 > 192.168.0.1.53: 43707 updataA Resp13*
> [0q] 0/0/0 (4)
> 0x0000 4500 0020 2428 0000 ff11 1621 c0a8 0032 E...$(.....!...2
> 0x0010 c0a8 0001 0035 0035 0064 05f7 aabb ccdd .....5.5.d......
>
>
> Regarding ISAKMP, it would have would have been a problem with undersized
> payload length values, especially with SA proposals. Sorry I can't be more
> specific.
>
> Did the fixes in 0.8.14 solve a generic problem with malformed data
> (possibly with UDP) or just the AFS issue based on the exploit that went
> public?
The DNS and ISAKMP protocol decoders use the old style byte array based
dissectors. The dissectors were expected to check packet length before
accessing all data. Newer dissectors are built with 'testy buffers', these
data buffer automatically check the packet data length each time the
dissector accesses data. If the requested data is beyond the end of the
packet an exception is raised and graceful recover occurs.
Until all dissectors are re-coded with the 'testy buffers' it maybe possible
to crash ethereal or tethereal with malformed packets, it is dependent
upon how each dissector was written.
This isn't related to the AFS issue which was a buffer overflow problem
with local storage for data extracted from the packet.
Jeff Foster
jfoste@xxxxxxxxxxxx