Red Hat Bugzilla – Bug 20069
tcpdump buffer overflows
Last modified: 2008-05-01 11:37:59 EDT
FreeBSD people have found several buffer overflows in tcpdump, making it crashable
from remote systems (FreeBSD-SA-00:61).
The same issues apply to our versions too.
Slightly reworked patch attached.
[ there were two additional issues in print-icmpv6.c which looked a little dubious,
I didn't look at them further, but it'd appear that spoofing in6_addr wouldn't be too easy. Like:
sprintf(str, "MLD report: %s",
ipv6addr_string((struct in6_addr *)(dp+1)));
Also, tcpdump uses same savestr function as traceroute. The function was essential
in traceroute -g 1 -g 1 hole. It could easily be replaced by strdup. Separate patch attached.
Also, this might be a good time to upgrade arpwatch, and add non-root support for it
(#19696) and implement an one-liner fix in #defines (#19850).
Created attachment 4796 [details]
Buffer overflow patch based on FreeBSD
Created attachment 4797 [details]
replace savestr with strdup, hmm?
Fixed (patches added) in tcpdump-3.4-32.
FreeBSD people just released a new advisory because they had forgot to patch a few files.
Most of them (print-ppp, print-bgp,print-telnet, for instance) are ones not included in RHL version.
addrtoname.c fix was already in my patch.
There were a few new issues in smbutil.c, though.
Created attachment 5079 [details]
2nd patch added in tcpdump-3.4-33 errata.