[Guy Harris <guy@xxxxxxxxxx>]

> A cohort o' mine asked me this question recently, and as I know that
> ethereal and tcpdump both rely on libpcap, I thought perhaps someone here
> might know the answer to his question.

Nokia appear, from a capture file for which I had to put Yet Another
#@#!%#@@ing Hack into Wiretap, to have their own personal version of
libpcap (with its very own modified version of the savefile format *with
the same damn magic number as the standard one*), and of tcpdump.

I've no idea how up-to-date their tcpdump is, but if they picked up the
latest shiniest tcpdump from tcpdump.org, this problem would be fixed:

	void
	ip_print(register const u_char *bp, register u_int length)
	{

		...

		hlen = IP_HL(ip) * 4; 
		if (hlen < sizeof (struct ip)) {
			(void)printf("bad-hlen %d", hlen);
			return;
		}

		...

	}

Ethereal might be vulnerable to that, as it does

  /* Skip over header + options */
  offset += hlen;

and, in fact, the code that fetches the header length says

  /* XXX - check to make sure this is at least IPH_MIN_LEN. */
  hlen = lo_nibble(iph.ip_v_hl) * 4;    /* IP header length, in bytes */

This isn't a libpcap issue; programs that *don't* rely on libpcap to
capture packets (e.g., snoop) could, if they don't check the sanity of
the header length, have the same problem.