Bug 4634

Summary: TCPDUMP will dump core if feeded spoofed ip packet proto 4 and hl=0
Product: [Retired] Red Hat Linux Reporter: francois
Component: tcpdumpAssignee: David Lawrence <dkl>
Status: CLOSED NEXTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 6.0Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 1999-08-20 21:45:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description francois 1999-08-20 20:52:57 UTC 
(copy of mail sent to tcpdump.gov)

        I have just noticed and fixed a rather obscure
        and exploitable DoS against tcpdump.

        If someone spoof an IP packet with an header
        length of 0 (ip_hl=0) (or any value bigger
        than the total ip+(tcp/udp) packet) and
        the ip_protocol of the packet is set to 4,
        tcpdump will dumpcore.

        why ? simple. Let's go in print-ip.c

        the header lenght is calculated this way:

        hlen = ip->ip_hl * 4;

        If the packet is spoofed and ip_hl=0 or very
        big value, hlen will contains 0.

        then...

        cp = (const u_char *)ip + hlen;
 cp will points on the beginning of the IP
        packet, not inside on the data after the
        header.

        If the IP protocol is 4 then we jump to:

        case 4:
        /* DVMRP multicast tunnel (ip-in-ip encapsulation)
*/
(...)
                        ip_print(cp, len);
(...)
                        break;

        As cp=ip, we build a recursive loop to ip_print
        which will smatch the stack in no way.

        Here is my patch. (i was not specialy
        inspired for the error message)

        Hope you can fix this ASAP.

        note: I have build an exploit. AFAIK it only
        works if the computer running tcpdump is the
        same ethernet segment than the attacker as
        most routers will drope an IP packet with a ip_hl
        lower than 5.

        Some people depend on tcpdump feeding an analyzer
        script to protect their network, that's why
     I think this DoS should be taken seriously.

--- tcpdump-3.4/print-ip.c      Fri Aug 20 16:00:51 1999
+++ tcpdump-3.4-p1/print-ip.c   Fri Aug 20 16:04:32 1999
@@ -374,6 +374,10 @@
                (void)printf("truncated-ip %d", length);
                return;
        }
+       if (ip->ip_hl < 5) {
+               (void)printf("ip_hl < 5 (%d)", ip->ip_hl);
+               return;
+       }
        hlen = ip->ip_hl * 4;

        len = ntohs(ip->ip_len);

        regards,
        Francois

Francois Baligant            * *       EuroNet Internet
NV/SA
Network Operation Center   *     *     a subsidiary of
France Telecom
Developer                 *            Lozenberg 22 - B-1932
Zaventem
                         *             tel: +32 2 717 17 17
francois.net                   fax: +32 2 717 17 77
Comment 1 Jeff Johnson 1999-08-20 21:45:59 UTC 
Patch added in tcpdump-3.4-15.