Hi,
There is a bug (well, the same bug in two different places) in the OSPF
dissector. More precisely, it is at the end of the function
"dissect_ospf_db_desc" and in the function "dissect_ospf_ls_ack". In both
cases, when the version is neither 2 nor 3, you can loop forever.
How to reproduce ? It's really easy using a tool such as scapy
(http://www.cartel-securite.fr/pbiondi/projects/scapy/) to forge a packet.
Run ethereal and sniff on "lo". Then run scapy and try :
> send(IP(proto=89)/(struct.pack("BBH", 0, 2, 14)+"\x00"*10))
- 0 is the version number ; you need to set it to a value different
from 2 or 3.
- 2 is the type. 5 also works ; with 2 you enter the loop in
"dissect_ospf_db_desc", and with 5, the loop in "dissect_ospf_ls_ack".
- 14 is the length.
- "\x00"*10 padds to the end of the header (1 + 1 + 2 + 10 == 14,
that's OK ;-) ).
A solution to avoid that is to check the version number before entering
the loops and, when the value is something different from 2 or 3, display
something like "Unknown/unsupported OSPF version" or "Malformed OSPF
packet".
Pierre
--
Pierre LALET
http://pierre.droids-corp.org/
Droids Corporation & Team rstack
French Honeynet Project