Integer Overflow in tcpdump
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tcpdump |
Fix Released
|
Unknown
|
|||
tcpdump (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Hello,
During some fuzzing tests, I discovered an integer overflow that causes a Segmentation fault in tcpdump when reading a malicious pcap file. The issue arises when relts_print(
user@lab:~$ lsb_release -rd
Description: Ubuntu 16.04.1 LTS
Release: 16.04
user@lab:~$ apt-cache policy tcpdump
tcpdump:
Installed: 4.7.4-1ubuntu1
Candidate: 4.7.4-1ubuntu1
Version table:
*** 4.7.4-1ubuntu1 500
500 http://
100 /var/lib/
Here is an example output:
user@lab:~$ tcpdump -rv segfault.pcap
reading from file segfault.pcap, link-type EN10MB (Ethernet)
05:27:12.808464432 IP (tos 0x30, ttl 48, id 12336, offset 0, flags [DF], proto IGMP (2), length 12336, bad cksum 3030 (->29ac)!)
Segmentation fault (core dumped)
gdb output:
Program received signal SIGSEGV, Segmentation fault.
0x000000000063935c in relts_print (ndo=0x7fffffff
362 if (secs >= *s) {
(gdb) bt
#0 0x000000000063935c in relts_print (ndo=0x7fffffff
#1 0x00000000004cd7a3 in igmp_print (ndo=ndo@
#2 0x00000000004d360f in ip_print_demux (ndo=0x7fffffff
#3 0x00000000004d0809 in ip_print (ndo=0x7fffffff
#4 0x000000000049b7d6 in ethertype_print (ndo=ndo@
caplen=
#5 0x000000000049c541 in ether_print (ndo=0x7fffffff
at ./print-ether.c:227
#6 0x0000000000428a97 in pretty_print_packet (ndo=0x7fffffff
at ./print.c:339
#7 0x0000000000410b99 in print_packet (user=<optimised out>, h=<optimised out>, sp=<optimised out>) at ./tcpdump.c:2262
#8 0x00000000006bffe6 in pcap_offline_read (p=p@entry=
at ./savefile.c:527
#9 0x0000000000653bd4 in pcap_loop (p=0xadd2e0, cnt=cnt@entry=-1, callback=
#10 0x000000000040c352 in main (argc=<optimised out>, argv=<optimised out>) at ./tcpdump.c:1766
I have also attached a PoC to help replicate the issue.
I look forward to any updates,
Alexis Vanden Eijnde
Changed in tcpdump: | |
status: | Unknown → Fix Released |
Hi! Thanks for reporting this issue.
Please report this issue to the tcpdump authors here:
http:// www.tcpdump. org/
Once they've provided a fix, we will backport it to tcpdump in Ubuntu.
Thanks!