Data Processing (IBB): CVE-2017-5204: The IPv6 parser in tcpdump before 4.9.0 has a buffer overflow in print-ip6.c:ip6_print()

2017-02-02T17:14:36
ID H1:202960
Type hackerone
Reporter geeknik
Modified 2019-10-08T20:31:14

Description

Reported to the project maintainer in October 2016. A specially crafted IPv6 packet could trigger a read outside of buffer in tcpdump.

``` ==27882==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000e000 at pc 0x0000005724b5 bp 0x7ffe8e17a790 sp 0x7ffe8e17a788 READ of size 1 at 0x60400000e000 thread T0 #0 0x5724b4 in ip6_print /root/tcpdump/./print-ip6.c:296:4 #1 0x5707d0 in ipN_print /root/tcpdump/./print-ip.c:689:3 #2 0x61cde7 in raw_if_print /root/tcpdump/./print-raw.c:42:2 #3 0x4ddd19 in pretty_print_packet /root/tcpdump/./print.c:339:18 #4 0x4cc5db in print_packet /root/tcpdump/./tcpdump.c:2492:2 #5 0x7672a0 in pcap_offline_read /root/libpcap/./savefile.c:527:4 #6 0x6935cc in pcap_loop /root/libpcap/./pcap.c:890:8 #7 0x4c89be in main /root/tcpdump/./tcpdump.c:1996:12 #8 0x7f816e920b44 in __libc_start_main /build/glibc-daoqzt/glibc-2.19/csu/libc-start.c:287 #9 0x4c3c2c in _start (/root/tcpdump/tcpdump+0x4c3c2c)

0x60400000e000 is located 0 bytes to the right of 48-byte region [0x60400000dfd0,0x60400000e000) allocated by thread T0 here: #0 0x4a65ab in __interceptor_malloc (/root/tcpdump/tcpdump+0x4a65ab) #1 0x768bf3 in pcap_check_header /root/libpcap/./sf-pcap.c:401:14 #2 0x766902 in pcap_fopen_offline_with_tstamp_precision /root/libpcap/./savefile.c:400:7 #3 0x766694 in pcap_open_offline_with_tstamp_precision /root/libpcap/./savefile.c:307:6

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/tcpdump/./print-ip6.c:296 ip6_print ```

Fixed by https://github.com/the-tcpdump-group/tcpdump/commit/d6913f7e3fc6d3084ab64d179853468e58cdca4b.