Hi, checking of 802.3 is done incorrectly (is length < 1500 rather than the correct is length <= 1500) find patch attached. John Leach. Security Mountaineer
diff -ru -x '*.am' -x '*.in' firestorm-cvs/decode_plugins/ether.c firestorm-new/decode_plugins/ether.c --- firestorm-cvs/decode_plugins/ether.c Fri Sep 27 22:36:32 2002 +++ firestorm-new/decode_plugins/ether.c Fri Sep 27 22:32:21 2002 @@ -75,7 +75,7 @@ b+=sprintf(b, "%02x%c", *x&0xFF, c==5 ? ' ' : ':'); proto=htons(l->h.eth->proto); - if ( proto < 1500 ) { + if ( proto <= 1500 ) { b+=sprintf(b, "length=%u", proto); }else{ b+=sprintf(b, "proto=0x%.4x", proto); @@ -181,7 +181,7 @@ > p->end ) goto err; /* Check if we are 802.3 and change accordingly */ - if ( htons(l->h.eth->proto)<1500 ) { + if ( htons(l->h.eth->proto)<=1500 ) { /* Ugly hack for Novell Netware IPX frames */ if ( (p->layer[p->llen].h.raw+2 < p->end) && ((unsigned char *)p->layer[p->llen].h.raw)[0]==0xff &&
Attachment:
signature.asc
Description: This is a digitally signed message part