Bug 55145 - tcpdump segfaults when displaying NFS traffic.
tcpdump segfaults when displaying NFS traffic.
Status: CLOSED ERRATA
Product: Red Hat Linux
Classification: Retired
Component: tcpdump (Show other bugs)
7.2
i386 Linux
high Severity medium
: ---
: ---
Assigned To: Harald Hoyer
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-10-26 06:34 EDT by David Woodhouse
Modified: 2008-05-01 11:38 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2002-01-17 10:39:48 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
strace (28.64 KB, text/plain)
2001-10-26 06:35 EDT, David Woodhouse
no flags Details
ethereal capture (7.20 KB, application/octet-stream)
2001-10-26 06:39 EDT, David Woodhouse
no flags Details
output of tcpdump when it died (107.17 KB, text/plain)
2001-10-26 06:43 EDT, David Woodhouse
no flags Details

  None (edit)
Description David Woodhouse 2001-10-26 06:34:07 EDT
Description of Problem:
tcpdump reliably segfaults when displaying NFS traffic. 

Version-Release number of selected component (if applicable):
tcpdump-3.6.2-9

How Reproducible:
100%

Steps to Reproduce:
1. Run tcpdump
2. Cause lots of NFS traffic.
3. Watch tcpdump segfault when trying to display it.
4. Craft exploit.

I'll attach three files. A strace of a segfaulting tcpdump run, the output
from that run, and a packet trace from ethereal at the same time on the
same interface.
Comment 1 David Woodhouse 2001-10-26 06:35:21 EDT
Created attachment 35182 [details]
strace
Comment 2 David Woodhouse 2001-10-26 06:39:34 EDT
Created attachment 35183 [details]
ethereal capture
Comment 3 David Woodhouse 2001-10-26 06:43:04 EDT
Created attachment 35184 [details]
output of tcpdump when it died
Comment 4 David Woodhouse 2001-10-26 06:48:05 EDT
Have confirmed that 'tcpdump -r tcpdump-death-ethereal-capture' also dies, and I
can actually get a core dump that way.

(gdb) bt
#0  0x08062340 in strcpy ()
#1  0x080912a9 in _IO_stdin_used () at eval.c:41
#2  0x08054cd6 in strcpy ()
#3  0x08054ed2 in strcpy ()
#4  0x08052734 in strcpy ()
#5  0x080501fd in strcpy ()
#6  0x08050013 in strcpy ()
#7  0x0807ffad in error () at eval.c:41
#8  0x08077676 in error () at eval.c:41
#9  0x0804aad9 in strcpy ()
#10 0x4011e627 in __libc_start_main (main=0x804a210 <strcpy+552>, argc=3, 
    ubp_av=0xbffff814, init=0x8049940 <_init>, fini=0x80838e0 <_fini>, 
    rtld_fini=0x4000dcd4 <_dl_fini>, stack_end=0xbffff80c)
    at ../sysdeps/generic/libc-start.c:129
Comment 5 Harald Hoyer 2001-10-26 06:53:22 EDT
thx for the extensive investigation :)
Comment 6 Harald Hoyer 2002-01-17 10:31:14 EST
can you please retry with 3.6.2-10?
Comment 7 David Woodhouse 2002-01-17 10:39:43 EST
tcpdump-3.6.2-10.7x still segfaults on i386. Does it not do the same for you
when you do 'tcpdump -r tcpdump-death-ethereal-capture' with the file above?
Comment 8 Harald Hoyer 2002-01-23 06:44:05 EST
fixed in 3.6.2-12
Comment 9 Mark J. Cox (Product Security) 2002-10-04 03:22:07 EDT
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2002-094.html

Note You need to log in before you can comment on or make changes to this bug.