Fuzzing tcpdump nets multiple CVE assignments

As some of you might have seen over the last few days, tcpdump 4.9.0 has been released and it contains a BUTT LOAD of securitys fixes. Here are my contributions:

CVE-2017-5204 The IPv6 parser in tcpdump before 4.9.0 has a buffer overflow in print-ip6.c:ip6_print().

==27882==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000e000 at pc 0x0000005724b5 bp 0x7ffe8e17a790 sp 0x7ffe8e17a788
READ of size 1 at 0x60400000e000 thread T0
#0 0x5724b4 in ip6_print /root/tcpdump/./print-ip6.c:296:4
#1 0x5707d0 in ipN_print /root/tcpdump/./print-ip.c:689:3
#2 0x61cde7 in raw_if_print /root/tcpdump/./print-raw.c:42:2
#3 0x4ddd19 in pretty_print_packet /root/tcpdump/./print.c:339:18
#4 0x4cc5db in print_packet /root/tcpdump/./tcpdump.c:2492:2
#5 0x7672a0 in pcap_offline_read /root/libpcap/./savefile.c:527:4
#6 0x6935cc in pcap_loop /root/libpcap/./pcap.c:890:8
#7 0x4c89be in main /root/tcpdump/./tcpdump.c:1996:12
#8 0x7f816e920b44 in __libc_start_main /build/glibc-daoqzt/glibc-2.19/csu/libc-start.c:287
#9 0x4c3c2c in _start (/root/tcpdump/tcpdump+0x4c3c2c)

0x60400000e000 is located 0 bytes to the right of 48-byte region [0x60400000dfd0,0x60400000e000)
allocated by thread T0 here:
#0 0x4a65ab in __interceptor_malloc (/root/tcpdump/tcpdump+0x4a65ab)
#1 0x768bf3 in pcap_check_header /root/libpcap/./sf-pcap.c:401:14
#2 0x766902 in pcap_fopen_offline_with_tstamp_precision /root/libpcap/./savefile.c:400:7
#3 0x766694 in pcap_open_offline_with_tstamp_precision /root/libpcap/./savefile.c:307:6

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/tcpdump/./print-ip6.c:296 ip6_print

CVE-2017-5341 The OTV parser in tcpdump before 4.9.0 has a buffer overflow in print-otv.c:otv_print().

CVE-2017-5342 In tcpdump before 4.9.0 a bug in multiple protocol parsers (Geneve, GRE, NSH, OTV, VXLAN and VXLAN GPE) could cause a buffer overflow in print-ether.c:ether_print().

CVE-2017-5482 The Q.933 parser in tcpdump before 4.9.0 has a buffer overflow in print-fr.c:q933_print().

CVE-2017-5484 The ATM parser in tcpdump before 4.9.0 has a buffer overflow in print-atm.c:sig_print().

All fixes for these flaws can be found @ https://github.com/the-tcpdump-group/tcpdump/commits/master.

As always, if you like the work I'm doing, you can show your support through Patreon or via Bitcoin: 1LcCefcdue8XTMj3zXjkXgCJk6S71kAtah.

Geeknik Labs

Also on this blog

SHARE:  Email · Facebook · Google · Twitter · Tumblr · Kindle
SUBSCRIBE:  Receive an email on new posts from Geeknik Labs

Comments


  • Notify me upon new comments

☺ Got it