Package: libpcap0.8 Version: 1.1.1-5 Severity: important it's possible to crash libpcap in the bpf interpreter with an "ip6 protochain" filter. a test packet is attached; it is an ICMPv6 message with an IPv6 hop-by-hop extension header. i was not able to reproduce this with the latest version of libpcap from upstream git.
edmonds@chase{0}:~/packets$ tcpdump -nr ip6-hopbyhop-icmp.pcap
reading from file ip6-hopbyhop-icmp.pcap, link-type EN10MB (Ethernet)
18:43:07.098489 IP6 fe80::208:7dff:feb7:2cca > ff02::1: HBH ICMP6,
multicast listener queryv2 [gaddr ::], length 28
edmonds@chase{0}:~/packets$ tcpdump -nr ip6-hopbyhop-icmp.pcap 'ip6
protochain 1'
reading from file ip6-hopbyhop-icmp.pcap, link-type EN10MB (Ethernet)
zsh: segmentation fault tcpdump -nr ip6-hopbyhop-icmp.pcap 'ip6 protochain
1'
edmonds@chase{139}:~/packets$ valgrind tcpdump -nr ip6-hopbyhop-icmp.pcap
'ip6 protochain 1'
==24937== Memcheck, a memory error detector
==24937== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==24937== Using Valgrind-3.6.1 and LibVEX; rerun with -h for copyright info
==24937== Command: tcpdump -nr ip6-hopbyhop-icmp.pcap ip6\ protochain\ 1
==24937==
reading from file ip6-hopbyhop-icmp.pcap, link-type EN10MB (Ethernet)
==24937== Invalid read of size 2
==24937== at 0x5212EB8: bpf_filter (bpf_filter.c:242)
==24937== by 0x520D268: pcap_offline_read (savefile.c:379)
==24937== by 0x51FF60E: pcap_loop (pcap.c:423)
==24937== by 0x187644: main (in /usr/sbin/tcpdump)
==24937== Address 0x805bcc7d0 is not stack'd, malloc'd or (recently) free'd
==24937==
==24937==
==24937== Process terminating with default action of signal 11 (SIGSEGV)
==24937== Access not within mapped region at address 0x805BCC7D0
==24937== at 0x5212EB8: bpf_filter (bpf_filter.c:242)
==24937== by 0x520D268: pcap_offline_read (savefile.c:379)
==24937== by 0x51FF60E: pcap_loop (pcap.c:423)
==24937== by 0x187644: main (in /usr/sbin/tcpdump)
==24937== If you believe this happened as a result of a stack
==24937== overflow in your program's main thread (unlikely but
==24937== possible), you can try to increase the size of the
==24937== main thread stack using the --main-stacksize= flag.
==24937== The main thread stack size used in this run was 8388608.
==24937==
==24937== HEAP SUMMARY:
==24937== in use at exit: 3,473 bytes in 7 blocks
==24937== total heap usage: 23 allocs, 16 frees, 12,949 bytes allocated
==24937==
==24937== LEAK SUMMARY:
==24937== definitely lost: 0 bytes in 0 blocks
==24937== indirectly lost: 0 bytes in 0 blocks
==24937== possibly lost: 0 bytes in 0 blocks
==24937== still reachable: 3,473 bytes in 7 blocks
==24937== suppressed: 0 bytes in 0 blocks
==24937== Rerun with --leak-check=full to see details of leaked memory
==24937==
==24937== For counts of detected and suppressed errors, rerun with: -v
==24937== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 6 from 6)
zsh: segmentation fault valgrind tcpdump -nr ip6-hopbyhop-icmp.pcap 'ip6
protochain 1'
edmonds@chase{139}:~/packets$
--
Robert Edmonds
edmo...@debian.org
ip6-hopbyhop-icmp.pcap
Description: application/cap
signature.asc
Description: Digital signature
