CVE-2017-12986 The IPv6 routing header parser in tcpdump before 4.9.2 has a buffer over-read in print-rt6.c:rt6_print().

Reported to the devs on 4 February 2017. Tcpdump 4.9.2 released on 8 September 2017. Patch: https://github.com/the-tcpdump-group/tcpdump/commit/7ac73d6cd41e9d4ac0ca7e6830ca390e195bb21c `The IPv6 routing header parser in tcpdump before 4.9.2 has a buffer over-read in print-rt6.c:rt6_print().` ``` /tcpdump -nr test000 reading from file test000, link-type IPV6 (Raw IPv6) ================================================================= ==567==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000e001 at pc 0x00000063663d bp 0x7ffec82f8fb0 sp 0x7ffec82f8fa8 READ of size 1 at 0x60400000e001 thread T0 #0 0x63663c in rt6_print /root/tcpdump/./print-rt6.c:48:2 #1 0x57859b in ip6_print /root/tcpdump/./print-ip6.c:328:14 #2 0x576fdc in ipN_print /root/tcpdump/./print-ip.c:700:3 #3 0x626677 in raw_if_print /root/tcpdump/./print-raw.c:42:2 #4 0x4de3c9 in pretty_print_packet /root/tcpdump/./print.c:339:18 #5 0x4ccb0b in print_packet /root/tcpdump/./tcpdump.c:2555:2 #6 0x775960 in pcap_offline_read /root/libpcap/./savefile.c:527:4 #7 0x6a3f3c in pcap_loop /root/libpcap/./pcap.c:1623:8 #8 0x4c8f1e in main /root/tcpdump/./tcpdump.c:2058:12 #9 0x7fe428299b44 in __libc_start_main /build/glibc-qK83Be/glibc-2.19/csu/libc-start.c:287 #10 0x4c419c in _start (/root/tcpdump/tcpdump+0x4c419c) 0x60400000e001 is located 1 bytes to the right of 48-byte region [0x60400000dfd0,0x60400000e000) allocated by thread T0 here: #0 0x4a6b1b in malloc (/root/tcpdump/tcpdump+0x4a6b1b) #1 0x7772b3 in pcap_check_header /root/libpcap/./sf-pcap.c:401:14 #2 0x774fc2 in pcap_fopen_offline_with_tstamp_precision /root/libpcap/./savefile.c:400:7 #3 0x774d54 in pcap_open_offline_with_tstamp_precision /root/libpcap/./savefile.c:307:6 SUMMARY: AddressSanitizer: heap-buffer-overflow /root/tcpdump/./print-rt6.c:48 rt6_print ```