Bug 55145 - tcpdump segfaults when displaying NFS traffic.
Summary: tcpdump segfaults when displaying NFS traffic.
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: tcpdump   
(Show other bugs)
Version: 7.2
Hardware: i386
OS: Linux
high
medium
Target Milestone: ---
Assignee: Harald Hoyer
QA Contact:
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2001-10-26 10:34 UTC by David Woodhouse
Modified: 2008-05-01 15:38 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2002-01-17 15:39:48 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
strace (28.64 KB, text/plain)
2001-10-26 10:35 UTC, David Woodhouse
no flags Details
ethereal capture (7.20 KB, application/octet-stream)
2001-10-26 10:39 UTC, David Woodhouse
no flags Details
output of tcpdump when it died (107.17 KB, text/plain)
2001-10-26 10:43 UTC, David Woodhouse
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2002:094 normal SHIPPED_LIVE : Updated tcpdump packages fix buffer overflow 2002-05-17 04:00:00 UTC

Description David Woodhouse 2001-10-26 10:34:07 UTC
Description of Problem:
tcpdump reliably segfaults when displaying NFS traffic. 

Version-Release number of selected component (if applicable):
tcpdump-3.6.2-9

How Reproducible:
100%

Steps to Reproduce:
1. Run tcpdump
2. Cause lots of NFS traffic.
3. Watch tcpdump segfault when trying to display it.
4. Craft exploit.

I'll attach three files. A strace of a segfaulting tcpdump run, the output
from that run, and a packet trace from ethereal at the same time on the
same interface.

Comment 1 David Woodhouse 2001-10-26 10:35:21 UTC
Created attachment 35182 [details]
strace

Comment 2 David Woodhouse 2001-10-26 10:39:34 UTC
Created attachment 35183 [details]
ethereal capture

Comment 3 David Woodhouse 2001-10-26 10:43:04 UTC
Created attachment 35184 [details]
output of tcpdump when it died

Comment 4 David Woodhouse 2001-10-26 10:48:05 UTC
Have confirmed that 'tcpdump -r tcpdump-death-ethereal-capture' also dies, and I
can actually get a core dump that way.

(gdb) bt
#0  0x08062340 in strcpy ()
#1  0x080912a9 in _IO_stdin_used () at eval.c:41
#2  0x08054cd6 in strcpy ()
#3  0x08054ed2 in strcpy ()
#4  0x08052734 in strcpy ()
#5  0x080501fd in strcpy ()
#6  0x08050013 in strcpy ()
#7  0x0807ffad in error () at eval.c:41
#8  0x08077676 in error () at eval.c:41
#9  0x0804aad9 in strcpy ()
#10 0x4011e627 in __libc_start_main (main=0x804a210 <strcpy+552>, argc=3, 
    ubp_av=0xbffff814, init=0x8049940 <_init>, fini=0x80838e0 <_fini>, 
    rtld_fini=0x4000dcd4 <_dl_fini>, stack_end=0xbffff80c)
    at ../sysdeps/generic/libc-start.c:129


Comment 5 Harald Hoyer 2001-10-26 10:53:22 UTC
thx for the extensive investigation :)


Comment 6 Harald Hoyer 2002-01-17 15:31:14 UTC
can you please retry with 3.6.2-10?


Comment 7 David Woodhouse 2002-01-17 15:39:43 UTC
tcpdump-3.6.2-10.7x still segfaults on i386. Does it not do the same for you
when you do 'tcpdump -r tcpdump-death-ethereal-capture' with the file above?

Comment 8 Harald Hoyer 2002-01-23 11:44:05 UTC
fixed in 3.6.2-12


Comment 9 Mark J. Cox 2002-10-04 07:22:07 UTC
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2002-094.html



Note You need to log in before you can comment on or make changes to this bug.