Bug 20069 - tcpdump buffer overflows
tcpdump buffer overflows
Product: Red Hat Linux
Classification: Retired
Component: tcpdump (Show other bugs)
i386 Linux
high Severity medium
: ---
: ---
Assigned To: Harald Hoyer
: Security
Depends On:
  Show dependency treegraph
Reported: 2000-10-30 19:47 EST by Pekka Savola
Modified: 2008-05-01 11:37 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2000-10-31 08:48:49 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Buffer overflow patch based on FreeBSD (6.75 KB, patch)
2000-10-30 19:48 EST, Pekka Savola
no flags Details | Diff
replace savestr with strdup, hmm? (4.45 KB, patch)
2000-10-30 19:49 EST, Pekka Savola
no flags Details | Diff
smbutil.c fixups (655 bytes, patch)
2000-11-06 15:23 EST, Pekka Savola
no flags Details | Diff

  None (edit)
Description Pekka Savola 2000-10-30 19:47:25 EST
FreeBSD people have found several buffer overflows in tcpdump, making it crashable
from remote systems (FreeBSD-SA-00:61).

The same issues apply to our versions too.

Slightly reworked patch attached.

[ there were two additional issues in print-icmpv6.c which looked a little dubious, 
I didn't look at them further, but it'd appear that spoofing in6_addr wouldn't be too easy. Like:

        case ICMPV6_GRPREPORT:
                sprintf(str, "MLD report: %s",
                        ipv6addr_string((struct in6_addr *)(dp+1)));

Also, tcpdump uses same savestr function as traceroute.  The function was essential
in traceroute -g 1 -g 1 hole.  It could easily be replaced by strdup.  Separate patch attached.

Also, this might be a good time to upgrade arpwatch, and add non-root support for it 
(#19696) and implement an one-liner fix in #defines (#19850).
Comment 1 Pekka Savola 2000-10-30 19:48:20 EST
Created attachment 4796 [details]
Buffer overflow patch based on FreeBSD
Comment 2 Pekka Savola 2000-10-30 19:49:56 EST
Created attachment 4797 [details]
replace savestr with strdup, hmm?
Comment 3 Jeff Johnson 2000-11-02 08:16:08 EST
Fixed (patches added) in tcpdump-3.4-32.
Comment 4 Pekka Savola 2000-11-06 15:22:32 EST
FreeBSD people just released a new advisory because they had forgot to patch a few files.

Most of them (print-ppp, print-bgp,print-telnet, for instance) are ones not included in RHL version.

addrtoname.c fix was already in my patch.

There were a few new issues in smbutil.c, though.
Comment 5 Pekka Savola 2000-11-06 15:23:34 EST
Created attachment 5079 [details]
smbutil.c fixups
Comment 6 Jeff Johnson 2000-11-13 09:28:33 EST
2nd patch added in tcpdump-3.4-33 errata.

Note You need to log in before you can comment on or make changes to this bug.