Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 55145

Summary: tcpdump segfaults when displaying NFS traffic.
Product: [Retired] Red Hat Linux Reporter: David Woodhouse <dwmw2>
Component: tcpdumpAssignee: Harald Hoyer <harald>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: high    
Version: 7.2Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2002-01-17 15:39:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
strace
none
ethereal capture
none
output of tcpdump when it died none

Description David Woodhouse 2001-10-26 10:34:07 UTC 
Description of Problem:
tcpdump reliably segfaults when displaying NFS traffic. 

Version-Release number of selected component (if applicable):
tcpdump-3.6.2-9

How Reproducible:
100%

Steps to Reproduce:
1. Run tcpdump
2. Cause lots of NFS traffic.
3. Watch tcpdump segfault when trying to display it.
4. Craft exploit.

I'll attach three files. A strace of a segfaulting tcpdump run, the output
from that run, and a packet trace from ethereal at the same time on the
same interface.
Comment 1 David Woodhouse 2001-10-26 10:35:21 UTC 
Created attachment 35182 [details]
strace
Comment 2 David Woodhouse 2001-10-26 10:39:34 UTC 
Created attachment 35183 [details]
ethereal capture
Comment 3 David Woodhouse 2001-10-26 10:43:04 UTC 
Created attachment 35184 [details]
output of tcpdump when it died
Comment 4 David Woodhouse 2001-10-26 10:48:05 UTC 
Have confirmed that 'tcpdump -r tcpdump-death-ethereal-capture' also dies, and I
can actually get a core dump that way.

(gdb) bt
#0  0x08062340 in strcpy ()
#1  0x080912a9 in _IO_stdin_used () at eval.c:41
#2  0x08054cd6 in strcpy ()
#3  0x08054ed2 in strcpy ()
#4  0x08052734 in strcpy ()
#5  0x080501fd in strcpy ()
#6  0x08050013 in strcpy ()
#7  0x0807ffad in error () at eval.c:41
#8  0x08077676 in error () at eval.c:41
#9  0x0804aad9 in strcpy ()
#10 0x4011e627 in __libc_start_main (main=0x804a210 <strcpy+552>, argc=3, 
    ubp_av=0xbffff814, init=0x8049940 <_init>, fini=0x80838e0 <_fini>, 
    rtld_fini=0x4000dcd4 <_dl_fini>, stack_end=0xbffff80c)
    at ../sysdeps/generic/libc-start.c:129
Comment 5 Harald Hoyer 2001-10-26 10:53:22 UTC 
thx for the extensive investigation :)
Comment 6 Harald Hoyer 2002-01-17 15:31:14 UTC 
can you please retry with 3.6.2-10?
Comment 7 David Woodhouse 2002-01-17 15:39:43 UTC 
tcpdump-3.6.2-10.7x still segfaults on i386. Does it not do the same for you
when you do 'tcpdump -r tcpdump-death-ethereal-capture' with the file above?
Comment 8 Harald Hoyer 2002-01-23 11:44:05 UTC 
fixed in 3.6.2-12
Comment 9 Mark J. Cox 2002-10-04 07:22:07 UTC 
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2002-094.html