Bug 4634 - TCPDUMP will dump core if feeded spoofed ip packet proto 4 and hl=0
Summary: TCPDUMP will dump core if feeded spoofed ip packet proto 4 and hl=0
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: tcpdump
Version: 6.0
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: David Lawrence
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 1999-08-20 20:52 UTC by francois
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 1999-08-20 21:45:05 UTC

Attachments (Terms of Use)

Description francois 1999-08-20 20:52:57 UTC
(copy of mail sent to tcpdump.gov)

        I have just noticed and fixed a rather obscure
        and exploitable DoS against tcpdump.

        If someone spoof an IP packet with an header
        length of 0 (ip_hl=0) (or any value bigger
        than the total ip+(tcp/udp) packet) and
        the ip_protocol of the packet is set to 4,
        tcpdump will dumpcore.

        why ? simple. Let's go in print-ip.c

        the header lenght is calculated this way:

        hlen = ip->ip_hl * 4;

        If the packet is spoofed and ip_hl=0 or very
        big value, hlen will contains 0.


        cp = (const u_char *)ip + hlen;
 cp will points on the beginning of the IP
        packet, not inside on the data after the

        If the IP protocol is 4 then we jump to:

        case 4:
        /* DVMRP multicast tunnel (ip-in-ip encapsulation)
                        ip_print(cp, len);

        As cp=ip, we build a recursive loop to ip_print
        which will smatch the stack in no way.

        Here is my patch. (i was not specialy
        inspired for the error message)

        Hope you can fix this ASAP.

        note: I have build an exploit. AFAIK it only
        works if the computer running tcpdump is the
        same ethernet segment than the attacker as
        most routers will drope an IP packet with a ip_hl
        lower than 5.

        Some people depend on tcpdump feeding an analyzer
        script to protect their network, that's why
     I think this DoS should be taken seriously.

--- tcpdump-3.4/print-ip.c      Fri Aug 20 16:00:51 1999
+++ tcpdump-3.4-p1/print-ip.c   Fri Aug 20 16:04:32 1999
@@ -374,6 +374,10 @@
                (void)printf("truncated-ip %d", length);
+       if (ip->ip_hl < 5) {
+               (void)printf("ip_hl < 5 (%d)", ip->ip_hl);
+               return;
+       }
        hlen = ip->ip_hl * 4;

        len = ntohs(ip->ip_len);


Francois Baligant            * *       EuroNet Internet
Network Operation Center   *     *     a subsidiary of
France Telecom
Developer                 *            Lozenberg 22 - B-1932
                         *             tel: +32 2 717 17 17
francois.net                   fax: +32 2 717 17 77

Comment 1 Jeff Johnson 1999-08-20 21:45:59 UTC
Patch added in tcpdump-3.4-15.

Note You need to log in before you can comment on or make changes to this bug.