Bug 4634 - TCPDUMP will dump core if feeded spoofed ip packet proto 4 and hl=0
TCPDUMP will dump core if feeded spoofed ip packet proto 4 and hl=0
Product: Red Hat Linux
Classification: Retired
Component: tcpdump (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: David Lawrence
: Security
Depends On:
  Show dependency treegraph
Reported: 1999-08-20 16:52 EDT by francois
Modified: 2008-05-01 11:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 1999-08-20 17:45:05 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description francois 1999-08-20 16:52:57 EDT
(copy of mail sent to tcpdump@ee.lbl.gov)

        I have just noticed and fixed a rather obscure
        and exploitable DoS against tcpdump.

        If someone spoof an IP packet with an header
        length of 0 (ip_hl=0) (or any value bigger
        than the total ip+(tcp/udp) packet) and
        the ip_protocol of the packet is set to 4,
        tcpdump will dumpcore.

        why ? simple. Let's go in print-ip.c

        the header lenght is calculated this way:

        hlen = ip->ip_hl * 4;

        If the packet is spoofed and ip_hl=0 or very
        big value, hlen will contains 0.


        cp = (const u_char *)ip + hlen;
 cp will points on the beginning of the IP
        packet, not inside on the data after the

        If the IP protocol is 4 then we jump to:

        case 4:
        /* DVMRP multicast tunnel (ip-in-ip encapsulation)
                        ip_print(cp, len);

        As cp=ip, we build a recursive loop to ip_print
        which will smatch the stack in no way.

        Here is my patch. (i was not specialy
        inspired for the error message)

        Hope you can fix this ASAP.

        note: I have build an exploit. AFAIK it only
        works if the computer running tcpdump is the
        same ethernet segment than the attacker as
        most routers will drope an IP packet with a ip_hl
        lower than 5.

        Some people depend on tcpdump feeding an analyzer
        script to protect their network, that's why
     I think this DoS should be taken seriously.

--- tcpdump-3.4/print-ip.c      Fri Aug 20 16:00:51 1999
+++ tcpdump-3.4-p1/print-ip.c   Fri Aug 20 16:04:32 1999
@@ -374,6 +374,10 @@
                (void)printf("truncated-ip %d", length);
+       if (ip->ip_hl < 5) {
+               (void)printf("ip_hl < 5 (%d)", ip->ip_hl);
+               return;
+       }
        hlen = ip->ip_hl * 4;

        len = ntohs(ip->ip_len);


Francois Baligant            * *       EuroNet Internet
Network Operation Center   *     *     a subsidiary of
France Telecom
Developer                 *            Lozenberg 22 - B-1932
                         *             tel: +32 2 717 17 17
francois@be.euro.net                   fax: +32 2 717 17 77
Comment 1 Jeff Johnson 1999-08-20 17:45:59 EDT
Patch added in tcpdump-3.4-15.

Note You need to log in before you can comment on or make changes to this bug.