Created attachment 341421 [details] Proposed patch Description of problem: tcpdump segfaults when passed an invalid interface number as a regular user Version-Release number of selected component (if applicable): tcpdump-3.9.4-14 How reproducible: 100% reproducible Steps to Reproduce: As a normal (ie non root) user, run tcpdump -i <n> whene <n> is greater than the number of available interfaces on the system. Actual results: tcpdump segfaults Expected results: tcpdump: Invalid adapter index Additional info: The problem comes from this portion of code in tcpdump.c: if ((devnum = atoi(optarg)) != 0) { if (devnum < 0) error("Invalid adapter index"); if (pcap_findalldevs(&devpointer, ebuf) < 0) error("%s", ebuf); else { for (i = 0; i < devnum-1; i++){ devpointer = devpointer->next; if (devpointer == NULL) error("Invalid adapter index"); } } device = devpointer->name; break; } There are two problems here: 1) In the loop. the test for devpointer being null is performed after dereferencing it one line above so that if the value of devnum passed is greater than the actual number of interfaces, it'll crash 2) after the loop, there is no test for devpointer being null, so that if devnum is "1", the program does not enter the loop and devpointer is never checked. Proposed patch attached. The bug seems to be present upstream too (in git).
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-1605.html