Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 4634 - TCPDUMP will dump core if feeded spoofed ip packet proto 4 and hl=0
Summary: TCPDUMP will dump core if feeded spoofed ip packet proto 4 and hl=0
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: tcpdump
Version: 6.0
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: David Lawrence
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 1999-08-20 20:52 UTC by francois
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 1999-08-20 21:45:05 UTC

Attachments (Terms of Use)

Description francois 1999-08-20 20:52:57 UTC
(copy of mail sent to

        I have just noticed and fixed a rather obscure
        and exploitable DoS against tcpdump.

        If someone spoof an IP packet with an header
        length of 0 (ip_hl=0) (or any value bigger
        than the total ip+(tcp/udp) packet) and
        the ip_protocol of the packet is set to 4,
        tcpdump will dumpcore.

        why ? simple. Let's go in print-ip.c

        the header lenght is calculated this way:

        hlen = ip->ip_hl * 4;

        If the packet is spoofed and ip_hl=0 or very
        big value, hlen will contains 0.


        cp = (const u_char *)ip + hlen;
 cp will points on the beginning of the IP
        packet, not inside on the data after the

        If the IP protocol is 4 then we jump to:

        case 4:
        /* DVMRP multicast tunnel (ip-in-ip encapsulation)
                        ip_print(cp, len);

        As cp=ip, we build a recursive loop to ip_print
        which will smatch the stack in no way.

        Here is my patch. (i was not specialy
        inspired for the error message)

        Hope you can fix this ASAP.

        note: I have build an exploit. AFAIK it only
        works if the computer running tcpdump is the
        same ethernet segment than the attacker as
        most routers will drope an IP packet with a ip_hl
        lower than 5.

        Some people depend on tcpdump feeding an analyzer
        script to protect their network, that's why
     I think this DoS should be taken seriously.

--- tcpdump-3.4/print-ip.c      Fri Aug 20 16:00:51 1999
+++ tcpdump-3.4-p1/print-ip.c   Fri Aug 20 16:04:32 1999
@@ -374,6 +374,10 @@
                (void)printf("truncated-ip %d", length);
+       if (ip->ip_hl < 5) {
+               (void)printf("ip_hl < 5 (%d)", ip->ip_hl);
+               return;
+       }
        hlen = ip->ip_hl * 4;

        len = ntohs(ip->ip_len);


Francois Baligant            * *       EuroNet Internet
Network Operation Center   *     *     a subsidiary of
France Telecom
Developer                 *            Lozenberg 22 - B-1932
                         *             tel: +32 2 717 17 17                   fax: +32 2 717 17 77

Comment 1 Jeff Johnson 1999-08-20 21:45:59 UTC
Patch added in tcpdump-3.4-15.

Note You need to log in before you can comment on or make changes to this bug.