Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 4634

Summary: TCPDUMP will dump core if feeded spoofed ip packet proto 4 and hl=0
Product: [Retired] Red Hat Linux Reporter: francois
Component: tcpdumpAssignee: David Lawrence <dkl>
Status: CLOSED NEXTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 6.0Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 1999-08-20 21:45:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description francois 1999-08-20 20:52:57 UTC
(copy of mail sent to tcpdump@ee.lbl.gov)

        I have just noticed and fixed a rather obscure
        and exploitable DoS against tcpdump.

        If someone spoof an IP packet with an header
        length of 0 (ip_hl=0) (or any value bigger
        than the total ip+(tcp/udp) packet) and
        the ip_protocol of the packet is set to 4,
        tcpdump will dumpcore.

        why ? simple. Let's go in print-ip.c

        the header lenght is calculated this way:

        hlen = ip->ip_hl * 4;

        If the packet is spoofed and ip_hl=0 or very
        big value, hlen will contains 0.

        then...

        cp = (const u_char *)ip + hlen;
 cp will points on the beginning of the IP
        packet, not inside on the data after the
        header.

        If the IP protocol is 4 then we jump to:

        case 4:
        /* DVMRP multicast tunnel (ip-in-ip encapsulation)
*/
(...)
                        ip_print(cp, len);
(...)
                        break;

        As cp=ip, we build a recursive loop to ip_print
        which will smatch the stack in no way.

        Here is my patch. (i was not specialy
        inspired for the error message)

        Hope you can fix this ASAP.

        note: I have build an exploit. AFAIK it only
        works if the computer running tcpdump is the
        same ethernet segment than the attacker as
        most routers will drope an IP packet with a ip_hl
        lower than 5.

        Some people depend on tcpdump feeding an analyzer
        script to protect their network, that's why
     I think this DoS should be taken seriously.

--- tcpdump-3.4/print-ip.c      Fri Aug 20 16:00:51 1999
+++ tcpdump-3.4-p1/print-ip.c   Fri Aug 20 16:04:32 1999
@@ -374,6 +374,10 @@
                (void)printf("truncated-ip %d", length);
                return;
        }
+       if (ip->ip_hl < 5) {
+               (void)printf("ip_hl < 5 (%d)", ip->ip_hl);
+               return;
+       }
        hlen = ip->ip_hl * 4;

        len = ntohs(ip->ip_len);

        regards,
        Francois

Francois Baligant            * *       EuroNet Internet
NV/SA
Network Operation Center   *     *     a subsidiary of
France Telecom
Developer                 *            Lozenberg 22 - B-1932
Zaventem
                         *             tel: +32 2 717 17 17
francois@be.euro.net                   fax: +32 2 717 17 77

Comment 1 Jeff Johnson 1999-08-20 21:45:59 UTC
Patch added in tcpdump-3.4-15.