On Mon, Mar 27, 2000 at 07:53:39AM -0600, Florian Lohoff wrote:
>
>
> On Sun, Mar 26, 2000 at 03:09:14AM -0800, Guy Harris wrote:
> > > #4 0x807ed2b in dissect_l2tp (pd=0x8325ce8 "", offset=70,
> fd=0x81c63b0,
> > > tree=0x831199c) at packet-l2tp.c:370
> >
> > ...which is inside a
> >
> > while (index < length) { /* Process AVP's */
>
> Hmmm - I tried to fix this but it still hangs and now even
> the coredump thing doesnt work - There seems to be no usable
> stacktrace in the core.
>
What fix did you try? It is possible that in line 366 where
index is incremented that it is being incremented by 0, that is,
not being incremented, causing the infinite loop. Try this:
while (index < length ) { /* Process AVP's */
tmp_ptr = ptr;
memcpy(&ver_len_hidden,(tmp_ptr+=2),sizeof(unsigned short));
avp_len = AVP_LENGTH(htons(ver_len_hidden));
+ if (avp_len == 0) {
+ /* put some message in proto_tree to indicate bad packet */
+ return;
+ }
index += avp_len; /* track how far into the control msg */
--gilbert
