(copy of mail sent to tcpdump.gov) I have just noticed and fixed a rather obscure and exploitable DoS against tcpdump. If someone spoof an IP packet with an header length of 0 (ip_hl=0) (or any value bigger than the total ip+(tcp/udp) packet) and the ip_protocol of the packet is set to 4, tcpdump will dumpcore. why ? simple. Let's go in print-ip.c the header lenght is calculated this way: hlen = ip->ip_hl * 4; If the packet is spoofed and ip_hl=0 or very big value, hlen will contains 0. then... cp = (const u_char *)ip + hlen; cp will points on the beginning of the IP packet, not inside on the data after the header. If the IP protocol is 4 then we jump to: case 4: /* DVMRP multicast tunnel (ip-in-ip encapsulation) */ (...) ip_print(cp, len); (...) break; As cp=ip, we build a recursive loop to ip_print which will smatch the stack in no way. Here is my patch. (i was not specialy inspired for the error message) Hope you can fix this ASAP. note: I have build an exploit. AFAIK it only works if the computer running tcpdump is the same ethernet segment than the attacker as most routers will drope an IP packet with a ip_hl lower than 5. Some people depend on tcpdump feeding an analyzer script to protect their network, that's why I think this DoS should be taken seriously. --- tcpdump-3.4/print-ip.c Fri Aug 20 16:00:51 1999 +++ tcpdump-3.4-p1/print-ip.c Fri Aug 20 16:04:32 1999 @@ -374,6 +374,10 @@ (void)printf("truncated-ip %d", length); return; } + if (ip->ip_hl < 5) { + (void)printf("ip_hl < 5 (%d)", ip->ip_hl); + return; + } hlen = ip->ip_hl * 4; len = ntohs(ip->ip_len); regards, Francois Francois Baligant * * EuroNet Internet NV/SA Network Operation Center * * a subsidiary of France Telecom Developer * Lozenberg 22 - B-1932 Zaventem * tel: +32 2 717 17 17 francois.net fax: +32 2 717 17 77
Patch added in tcpdump-3.4-15.