Bug 2027937 - libpcap 1.5.3 with distro patch applied writes pcap file with broken pkthdr
Summary: libpcap 1.5.3 with distro patch applied writes pcap file with broken pkthdr
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libpcap
Version: 7.9
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Michal Ruprich
QA Contact: František Hrdina
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-12-01 05:08 UTC by Yousong Zhou
Modified: 2022-05-11 12:20 UTC (History)
5 users (show)

Fixed In Version: libpcap-1.5.3-13.el7_9
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-04-05 17:17:49 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
CentOS 18365 0 None None None 2021-12-01 05:08:29 UTC
Github the-tcpdump-group libpcap issues 1071 0 None open A centos patch on libpcap version 1.5.3 causes the creation of invalid pcap files with packet length < capture length wh... 2021-12-01 05:08:29 UTC
Red Hat Issue Tracker RHELPLAN-104399 0 None None None 2021-12-01 05:22:40 UTC
Red Hat Product Errata RHBA-2022:1201 0 None None None 2022-04-05 17:17:51 UTC

Description Yousong Zhou 2021-12-01 05:08:29 UTC
Description of problem:

The issue was found on a RHEL 7 derivative.  It was also reported to the-tcpdump-group/libpcap and CentOS community

 - https://github.com/the-tcpdump-group/libpcap/issues/1071
 - https://bugs.centos.org/view.php?id=18365

Quote:

To summarize, pcap file written with `tcpdump -i any -w a.pcap` will be rejected by tcpdump 4.99 which adds sanity checks on pkthdr struct.

The other issue as analyzed there by @guyharris is that when inspecting the bad pcap file with tcpdump 4.9, it may access 16 bytes of data out of bounds. See https://github.com/the-tcpdump-group/libpcap/issues/1071#issuecomment-980442403


Version-Release number of selected component (if applicable):

libpcap-1.5.3-12.1.al7.src.rpm


How reproducible:

Always


Steps to Reproduce:

Run the following commands to dump a few packets

  tcpdump -i any -w a.pcap -c 8

Hexdump check on first few bytes of the file. snaplen is 16 bytes bigger than actual len field for each packet header

00000000  d4 c3 b2 a1 02 00 04 00  00 00 00 00 00 00 00 00  |................|
00000010  00 00 04 00 71 00 00 00  cb 5e 9f 61 ae 80 04 00  |....q....^.a....|
00000020  c9 03 00 00 b9 03 00 00  00 00 00 01 00 06 ee ff  |................|
          ^^          ^^

Comment 3 Michal Ruprich 2021-12-14 10:38:46 UTC
Just adding a reproducer where it might be a little bit simpler to see what is going on and what is wrong:

In one terminal:
# tcpdump -i any -w ping.pcap --immediate-mode -c 1 icmp
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

In another terminal:
# ping -c 1 -p ff 127.0.0.1

In the first terminal:
1 packet captured
4 packets received by filter
0 packets dropped by kernel
# tcpdump -X -r ping.pcap
reading from file ping.pcap, link-type LINUX_SLL (Linux cooked)
05:31:04.048163 IP localhost > localhost: ICMP echo request, id 8156, seq 1, length 64
	0x0000:  4500 0054 e899 4000 4001 540d 7f00 0001  E..T..@.@.T.....
	0x0010:  7f00 0001 0800 ad92 1fdc 0001 6872 b861  ............hr.a
	0x0020:  0000 0000 09bc 0000 0000 0000 ffff ffff  ................
	0x0030:  ffff ffff ffff ffff ffff ffff ffff ffff  ................
	0x0040:  ffff ffff ffff ffff ffff ffff ffff ffff  ................
	0x0050:  ffff ffff 0000 0000 0000 0000 0000 0000  ................
	0x0060:  0000 0000 <-------- These zeros should not be here, exactly 16 extra bytes as the size of sll_header

The output of ping.pcap should look like this:
11:32:18.409143 lo    In  IP localhost > localhost: ICMP echo request, id 1, seq 1, length 64
	0x0000:  4500 0054 00a3 4000 4001 3c04 7f00 0001  E..T..@.@.<.....
	0x0010:  7f00 0001 0800 abeb 0001 0001 b272 b861  .............r.a
	0x0020:  0000 0000 db3d 0600 0000 0000 ffff ffff  .....=..........
	0x0030:  ffff ffff ffff ffff ffff ffff ffff ffff  ................
	0x0040:  ffff ffff ffff ffff ffff ffff ffff ffff  ................
	0x0050:  ffff ffff

Comment 20 errata-xmlrpc 2022-04-05 17:17:49 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (libpcap bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1201


Note You need to log in before you can comment on or make changes to this bug.