Bug 20069 - tcpdump buffer overflows
Summary: tcpdump buffer overflows
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: tcpdump   
(Show other bugs)
Version: 7.0
Hardware: i386
OS: Linux
high
medium
Target Milestone: ---
Assignee: Harald Hoyer
QA Contact:
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2000-10-31 00:47 UTC by Pekka Savola
Modified: 2008-05-01 15:37 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-10-31 13:48:49 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Buffer overflow patch based on FreeBSD (6.75 KB, patch)
2000-10-31 00:48 UTC, Pekka Savola
no flags Details | Diff
replace savestr with strdup, hmm? (4.45 KB, patch)
2000-10-31 00:49 UTC, Pekka Savola
no flags Details | Diff
smbutil.c fixups (655 bytes, patch)
2000-11-06 20:23 UTC, Pekka Savola
no flags Details | Diff

Description Pekka Savola 2000-10-31 00:47:25 UTC
FreeBSD people have found several buffer overflows in tcpdump, making it crashable
from remote systems (FreeBSD-SA-00:61).

The same issues apply to our versions too.

Slightly reworked patch attached.

[ there were two additional issues in print-icmpv6.c which looked a little dubious, 
I didn't look at them further, but it'd appear that spoofing in6_addr wouldn't be too easy. Like:

        case ICMPV6_GRPREPORT:
                sprintf(str, "MLD report: %s",
                        ipv6addr_string((struct in6_addr *)(dp+1)));
                break;
]

Also, tcpdump uses same savestr function as traceroute.  The function was essential
in traceroute -g 1 -g 1 hole.  It could easily be replaced by strdup.  Separate patch attached.

Also, this might be a good time to upgrade arpwatch, and add non-root support for it 
(#19696) and implement an one-liner fix in #defines (#19850).

Comment 1 Pekka Savola 2000-10-31 00:48:20 UTC
Created attachment 4796 [details]
Buffer overflow patch based on FreeBSD

Comment 2 Pekka Savola 2000-10-31 00:49:56 UTC
Created attachment 4797 [details]
replace savestr with strdup, hmm?

Comment 3 Jeff Johnson 2000-11-02 13:16:08 UTC
Fixed (patches added) in tcpdump-3.4-32.

Comment 4 Pekka Savola 2000-11-06 20:22:32 UTC
FreeBSD people just released a new advisory because they had forgot to patch a few files.

Most of them (print-ppp, print-bgp,print-telnet, for instance) are ones not included in RHL version.

addrtoname.c fix was already in my patch.

There were a few new issues in smbutil.c, though.

Comment 5 Pekka Savola 2000-11-06 20:23:34 UTC
Created attachment 5079 [details]
smbutil.c fixups

Comment 6 Jeff Johnson 2000-11-13 14:28:33 UTC
2nd patch added in tcpdump-3.4-33 errata.


Note You need to log in before you can comment on or make changes to this bug.