Bug 55145 - tcpdump segfaults when displaying NFS traffic.
Summary: tcpdump segfaults when displaying NFS traffic.
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: tcpdump   
(Show other bugs)
Version: 7.2
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Harald Hoyer
QA Contact:
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2001-10-26 10:34 UTC by David Woodhouse
Modified: 2008-05-01 15:38 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2002-01-17 15:39:48 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
strace (28.64 KB, text/plain)
2001-10-26 10:35 UTC, David Woodhouse
no flags Details
ethereal capture (7.20 KB, application/octet-stream)
2001-10-26 10:39 UTC, David Woodhouse
no flags Details
output of tcpdump when it died (107.17 KB, text/plain)
2001-10-26 10:43 UTC, David Woodhouse
no flags Details

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2002:094 normal SHIPPED_LIVE : Updated tcpdump packages fix buffer overflow 2002-05-17 04:00:00 UTC

Description David Woodhouse 2001-10-26 10:34:07 UTC
Description of Problem:
tcpdump reliably segfaults when displaying NFS traffic. 

Version-Release number of selected component (if applicable):

How Reproducible:

Steps to Reproduce:
1. Run tcpdump
2. Cause lots of NFS traffic.
3. Watch tcpdump segfault when trying to display it.
4. Craft exploit.

I'll attach three files. A strace of a segfaulting tcpdump run, the output
from that run, and a packet trace from ethereal at the same time on the
same interface.

Comment 1 David Woodhouse 2001-10-26 10:35:21 UTC
Created attachment 35182 [details]

Comment 2 David Woodhouse 2001-10-26 10:39:34 UTC
Created attachment 35183 [details]
ethereal capture

Comment 3 David Woodhouse 2001-10-26 10:43:04 UTC
Created attachment 35184 [details]
output of tcpdump when it died

Comment 4 David Woodhouse 2001-10-26 10:48:05 UTC
Have confirmed that 'tcpdump -r tcpdump-death-ethereal-capture' also dies, and I
can actually get a core dump that way.

(gdb) bt
#0  0x08062340 in strcpy ()
#1  0x080912a9 in _IO_stdin_used () at eval.c:41
#2  0x08054cd6 in strcpy ()
#3  0x08054ed2 in strcpy ()
#4  0x08052734 in strcpy ()
#5  0x080501fd in strcpy ()
#6  0x08050013 in strcpy ()
#7  0x0807ffad in error () at eval.c:41
#8  0x08077676 in error () at eval.c:41
#9  0x0804aad9 in strcpy ()
#10 0x4011e627 in __libc_start_main (main=0x804a210 <strcpy+552>, argc=3, 
    ubp_av=0xbffff814, init=0x8049940 <_init>, fini=0x80838e0 <_fini>, 
    rtld_fini=0x4000dcd4 <_dl_fini>, stack_end=0xbffff80c)
    at ../sysdeps/generic/libc-start.c:129

Comment 5 Harald Hoyer 2001-10-26 10:53:22 UTC
thx for the extensive investigation :)

Comment 6 Harald Hoyer 2002-01-17 15:31:14 UTC
can you please retry with 3.6.2-10?

Comment 7 David Woodhouse 2002-01-17 15:39:43 UTC
tcpdump-3.6.2-10.7x still segfaults on i386. Does it not do the same for you
when you do 'tcpdump -r tcpdump-death-ethereal-capture' with the file above?

Comment 8 Harald Hoyer 2002-01-23 11:44:05 UTC
fixed in 3.6.2-12

Comment 9 Mark J. Cox 2002-10-04 07:22:07 UTC
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.