Package: libpcap0.8 Version: 1.1.1-5 Severity: important it's possible to crash libpcap in the bpf interpreter with an "ip6 protochain" filter. a test packet is attached; it is an ICMPv6 message with an IPv6 hop-by-hop extension header. i was not able to reproduce this with the latest version of libpcap from upstream git.
edmonds@chase{0}:~/packets$ tcpdump -nr ip6-hopbyhop-icmp.pcap reading from file ip6-hopbyhop-icmp.pcap, link-type EN10MB (Ethernet) 18:43:07.098489 IP6 fe80::208:7dff:feb7:2cca > ff02::1: HBH ICMP6, multicast listener queryv2 [gaddr ::], length 28 edmonds@chase{0}:~/packets$ tcpdump -nr ip6-hopbyhop-icmp.pcap 'ip6 protochain 1' reading from file ip6-hopbyhop-icmp.pcap, link-type EN10MB (Ethernet) zsh: segmentation fault tcpdump -nr ip6-hopbyhop-icmp.pcap 'ip6 protochain 1' edmonds@chase{139}:~/packets$ valgrind tcpdump -nr ip6-hopbyhop-icmp.pcap 'ip6 protochain 1' ==24937== Memcheck, a memory error detector ==24937== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al. ==24937== Using Valgrind-3.6.1 and LibVEX; rerun with -h for copyright info ==24937== Command: tcpdump -nr ip6-hopbyhop-icmp.pcap ip6\ protochain\ 1 ==24937== reading from file ip6-hopbyhop-icmp.pcap, link-type EN10MB (Ethernet) ==24937== Invalid read of size 2 ==24937== at 0x5212EB8: bpf_filter (bpf_filter.c:242) ==24937== by 0x520D268: pcap_offline_read (savefile.c:379) ==24937== by 0x51FF60E: pcap_loop (pcap.c:423) ==24937== by 0x187644: main (in /usr/sbin/tcpdump) ==24937== Address 0x805bcc7d0 is not stack'd, malloc'd or (recently) free'd ==24937== ==24937== ==24937== Process terminating with default action of signal 11 (SIGSEGV) ==24937== Access not within mapped region at address 0x805BCC7D0 ==24937== at 0x5212EB8: bpf_filter (bpf_filter.c:242) ==24937== by 0x520D268: pcap_offline_read (savefile.c:379) ==24937== by 0x51FF60E: pcap_loop (pcap.c:423) ==24937== by 0x187644: main (in /usr/sbin/tcpdump) ==24937== If you believe this happened as a result of a stack ==24937== overflow in your program's main thread (unlikely but ==24937== possible), you can try to increase the size of the ==24937== main thread stack using the --main-stacksize= flag. ==24937== The main thread stack size used in this run was 8388608. ==24937== ==24937== HEAP SUMMARY: ==24937== in use at exit: 3,473 bytes in 7 blocks ==24937== total heap usage: 23 allocs, 16 frees, 12,949 bytes allocated ==24937== ==24937== LEAK SUMMARY: ==24937== definitely lost: 0 bytes in 0 blocks ==24937== indirectly lost: 0 bytes in 0 blocks ==24937== possibly lost: 0 bytes in 0 blocks ==24937== still reachable: 3,473 bytes in 7 blocks ==24937== suppressed: 0 bytes in 0 blocks ==24937== Rerun with --leak-check=full to see details of leaked memory ==24937== ==24937== For counts of detected and suppressed errors, rerun with: -v ==24937== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 6 from 6) zsh: segmentation fault valgrind tcpdump -nr ip6-hopbyhop-icmp.pcap 'ip6 protochain 1' edmonds@chase{139}:~/packets$ -- Robert Edmonds edmo...@debian.org
ip6-hopbyhop-icmp.pcap
Description: application/cap
signature.asc
Description: Digital signature