Closed rbgarga closed 7 years ago
Nice analysis. Could you confirm this reproduces on the latest master branch build of tcpdump? Would it be possible to have a copy of the patch and a packet that triggers the crash? Thank you.
tcpdump has wrong value for TCP Auth but the switch case isn't broken, as in filterlog. So no crashing.
I've extracted two libpcap callback packet buffers from core dumps that should be possible to test with, but I don't have any proper SCPS-TP packet to test with.
I've finally gotten around to create a proper pcap file out of the libpcap buffer dumps.
Wireshark correctly identifies the TCP option as SCPS.
The first problem you have described is now addressed with the change you have proposed (PR #517) and commit 87dba33 addresses the second problem, thus I am closing this issue as fully resolved. Thank you for such a thorough analysis and feel free to contribute more bugfixes in future.
The summary for this issue is as follows.
Handling of TCP-AO in tcp_print()
before 4.9.0 had several bugs, some of which could cause a buffer over-read in different ways. Hanno Böck had discovered some of those ways by means of fuzzing in 2015 (addressed in commits 3e00e6a, 6b8ed96, ec88d36), you have discovered another by means of analysis in 2016 (addressed in commit 91161b8). All of those over-read issues were collectively designated as CVE-2016-7975. Non-security bugs were addressed in commits 2857c0b and 4804e66. All those bugfixes are available in version 4.9.0.
Thank you once again for this report, please send any future security reports to security@tcpdump.org.
We have a software on pfSense, called filterlog [1] and this software is basically made using part of tcpdump code. We received an email from Patrik Lindquist patrik.lundquist@gmail.com reporting a crash on filterlog and after a quick look at tcpdump code I believe this same problem may occour on it so I decided to come here and share all investigation he did. Following you can see his email content:
[1] https://github.com/pfsense/FreeBSD-ports/tree/devel/sysutils/filterlog/files