Bug 55145 - tcpdump segfaults when displaying NFS traffic.
tcpdump segfaults when displaying NFS traffic.
Product: Red Hat Linux
Classification: Retired
Component: tcpdump (Show other bugs)
i386 Linux
high Severity medium
: ---
: ---
Assigned To: Harald Hoyer
: Security
Depends On:
  Show dependency treegraph
Reported: 2001-10-26 06:34 EDT by David Woodhouse
Modified: 2008-05-01 11:38 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2002-01-17 10:39:48 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
strace (28.64 KB, text/plain)
2001-10-26 06:35 EDT, David Woodhouse
no flags Details
ethereal capture (7.20 KB, application/octet-stream)
2001-10-26 06:39 EDT, David Woodhouse
no flags Details
output of tcpdump when it died (107.17 KB, text/plain)
2001-10-26 06:43 EDT, David Woodhouse
no flags Details

  None (edit)
Description David Woodhouse 2001-10-26 06:34:07 EDT
Description of Problem:
tcpdump reliably segfaults when displaying NFS traffic. 

Version-Release number of selected component (if applicable):

How Reproducible:

Steps to Reproduce:
1. Run tcpdump
2. Cause lots of NFS traffic.
3. Watch tcpdump segfault when trying to display it.
4. Craft exploit.

I'll attach three files. A strace of a segfaulting tcpdump run, the output
from that run, and a packet trace from ethereal at the same time on the
same interface.
Comment 1 David Woodhouse 2001-10-26 06:35:21 EDT
Created attachment 35182 [details]
Comment 2 David Woodhouse 2001-10-26 06:39:34 EDT
Created attachment 35183 [details]
ethereal capture
Comment 3 David Woodhouse 2001-10-26 06:43:04 EDT
Created attachment 35184 [details]
output of tcpdump when it died
Comment 4 David Woodhouse 2001-10-26 06:48:05 EDT
Have confirmed that 'tcpdump -r tcpdump-death-ethereal-capture' also dies, and I
can actually get a core dump that way.

(gdb) bt
#0  0x08062340 in strcpy ()
#1  0x080912a9 in _IO_stdin_used () at eval.c:41
#2  0x08054cd6 in strcpy ()
#3  0x08054ed2 in strcpy ()
#4  0x08052734 in strcpy ()
#5  0x080501fd in strcpy ()
#6  0x08050013 in strcpy ()
#7  0x0807ffad in error () at eval.c:41
#8  0x08077676 in error () at eval.c:41
#9  0x0804aad9 in strcpy ()
#10 0x4011e627 in __libc_start_main (main=0x804a210 <strcpy+552>, argc=3, 
    ubp_av=0xbffff814, init=0x8049940 <_init>, fini=0x80838e0 <_fini>, 
    rtld_fini=0x4000dcd4 <_dl_fini>, stack_end=0xbffff80c)
    at ../sysdeps/generic/libc-start.c:129
Comment 5 Harald Hoyer 2001-10-26 06:53:22 EDT
thx for the extensive investigation :)
Comment 6 Harald Hoyer 2002-01-17 10:31:14 EST
can you please retry with 3.6.2-10?
Comment 7 David Woodhouse 2002-01-17 10:39:43 EST
tcpdump-3.6.2-10.7x still segfaults on i386. Does it not do the same for you
when you do 'tcpdump -r tcpdump-death-ethereal-capture' with the file above?
Comment 8 Harald Hoyer 2002-01-23 06:44:05 EST
fixed in 3.6.2-12
Comment 9 Mark J. Cox (Product Security) 2002-10-04 03:22:07 EDT
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.