Bug 20069

Summary: tcpdump buffer overflows
Product: [Retired] Red Hat Linux Reporter: Pekka Savola <pekkas>
Component: tcpdumpAssignee: Harald Hoyer <harald>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: high    
Version: 7.0CC: dr
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2000-10-31 13:48:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Buffer overflow patch based on FreeBSD
none
replace savestr with strdup, hmm?
none
smbutil.c fixups none

Description Pekka Savola 2000-10-31 00:47:25 UTC 
FreeBSD people have found several buffer overflows in tcpdump, making it crashable
from remote systems (FreeBSD-SA-00:61).

The same issues apply to our versions too.

Slightly reworked patch attached.

[ there were two additional issues in print-icmpv6.c which looked a little dubious, 
I didn't look at them further, but it'd appear that spoofing in6_addr wouldn't be too easy. Like:

        case ICMPV6_GRPREPORT:
                sprintf(str, "MLD report: %s",
                        ipv6addr_string((struct in6_addr *)(dp+1)));
                break;
]

Also, tcpdump uses same savestr function as traceroute.  The function was essential
in traceroute -g 1 -g 1 hole.  It could easily be replaced by strdup.  Separate patch attached.

Also, this might be a good time to upgrade arpwatch, and add non-root support for it 
(#19696) and implement an one-liner fix in #defines (#19850).
Comment 1 Pekka Savola 2000-10-31 00:48:20 UTC 
Created attachment 4796 [details]
Buffer overflow patch based on FreeBSD
Comment 2 Pekka Savola 2000-10-31 00:49:56 UTC 
Created attachment 4797 [details]
replace savestr with strdup, hmm?
Comment 3 Jeff Johnson 2000-11-02 13:16:08 UTC 
Fixed (patches added) in tcpdump-3.4-32.
Comment 4 Pekka Savola 2000-11-06 20:22:32 UTC 
FreeBSD people just released a new advisory because they had forgot to patch a few files.

Most of them (print-ppp, print-bgp,print-telnet, for instance) are ones not included in RHL version.

addrtoname.c fix was already in my patch.

There were a few new issues in smbutil.c, though.
Comment 5 Pekka Savola 2000-11-06 20:23:34 UTC 
Created attachment 5079 [details]
smbutil.c fixups
Comment 6 Jeff Johnson 2000-11-13 14:28:33 UTC 
2nd patch added in tcpdump-3.4-33 errata.