|Summary:||tcpdump buffer overflows|
|Product:||[Retired] Red Hat Linux||Reporter:||Pekka Savola <pekkas>|
|Component:||tcpdump||Assignee:||Harald Hoyer <harald>|
|Status:||CLOSED ERRATA||QA Contact:|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2000-10-31 13:48:49 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description Pekka Savola 2000-10-31 00:47:25 UTC
FreeBSD people have found several buffer overflows in tcpdump, making it crashable from remote systems (FreeBSD-SA-00:61). The same issues apply to our versions too. Slightly reworked patch attached. [ there were two additional issues in print-icmpv6.c which looked a little dubious, I didn't look at them further, but it'd appear that spoofing in6_addr wouldn't be too easy. Like: case ICMPV6_GRPREPORT: sprintf(str, "MLD report: %s", ipv6addr_string((struct in6_addr *)(dp+1))); break; ] Also, tcpdump uses same savestr function as traceroute. The function was essential in traceroute -g 1 -g 1 hole. It could easily be replaced by strdup. Separate patch attached. Also, this might be a good time to upgrade arpwatch, and add non-root support for it (#19696) and implement an one-liner fix in #defines (#19850).
Comment 1 Pekka Savola 2000-10-31 00:48:20 UTC
Created attachment 4796 [details] Buffer overflow patch based on FreeBSD
Comment 2 Pekka Savola 2000-10-31 00:49:56 UTC
Created attachment 4797 [details] replace savestr with strdup, hmm?
Comment 3 Jeff Johnson 2000-11-02 13:16:08 UTC
Fixed (patches added) in tcpdump-3.4-32.
Comment 4 Pekka Savola 2000-11-06 20:22:32 UTC
FreeBSD people just released a new advisory because they had forgot to patch a few files. Most of them (print-ppp, print-bgp,print-telnet, for instance) are ones not included in RHL version. addrtoname.c fix was already in my patch. There were a few new issues in smbutil.c, though.
Comment 6 Jeff Johnson 2000-11-13 14:28:33 UTC
2nd patch added in tcpdump-3.4-33 errata.