The VTP parser in tcpdump before 4.9.2 has a buffer over-read in print-vtp.c:vtp_print()

Hello, The vulnerable code portion is linked below. The linked function is responsible for printing VTP packet payload information to the terminal (e.g., stdout) https://github.com/the-tcpdump-group/tcpdump/commit/ae83295915d08a854de27a88efac5dd7353e6d3f#diff-8c6895b252e6da31d60a7866973d5787L262-L268 The issue may be reproduced as follows Check out vulnerable tcpdump commit (< 4.9.2) as follows ``` $ git clone -b e0d8ee571438c755ff988f70886f8c4f5e9a8434 https://github.com/the-tcpdump-group/tcpdump Build it with afl and AddressSanitizer as follows (please install libpcap before this step) $ CC=afl-gcc $ AFL_USE_ASAN=1 make -j ``` Run tcpdump against linked payload (link: https://github.com/the-tcpdump-group/tcpdump/blob/ae83295915d08a854de27a88efac5dd7353e6d3f/tests/vtp_asan-3.pcap?raw=true) ``` $ tcpdump -nvr <payload> reading from file /tmp/vtp_asan-3.pcap, link-type MFR (FRF.16 Frame Relay) ================================================================= ==3747==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61200000015c at pc 0x562e64fcc5d2 bp 0x7ffdd3033300 sp 0x7ffdd30332f0 READ of size 1 at 0x61200000015c thread T0 #0 0x562e64fcc5d1 in fn_printzp util-print.c:217 #1 0x562e64fb757e in vtp_print print-vtp.c:262 #2 0x562e64ea3aae in snap_print print-llc.c:493 #3 0x562e64e0cba5 in fr_print print-fr.c:336 #4 0x562e64e0dc9e in mfr_print print-fr.c:563 #5 0x562e64d57e1e in pretty_print_packet print.c:332 #6 0x562e64d30d8d in print_packet tcpdump.c:2590 #7 0x562e65003a78 in pcap_offline_read savefile.c:561 #8 0x562e64ff29ee in pcap_loop pcap.c:2737 #9 0x562e64d2474d in main tcpdump.c:2093 #10 0x7f9726cb6b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #11 0x562e64d2c769 in _start (/home/bhargava/work/github/tcpdump/tcpdump+0x17b769) 0x61200000015c is located 0 bytes to the right of 284-byte region [0x612000000040,0x61200000015c) allocated by thread T0 here: #0 0x7f972737ab50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50) #1 0x562e6500480a in pcap_check_header sf-pcap.c:404 SUMMARY: AddressSanitizer: heap-buffer-overflow util-print.c:217 in fn_printzp Shadow bytes around the buggy address: 0x0c247fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c247fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c247fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c247fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c247fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c247fff8020: 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa fa 0x0c247fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c247fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c247fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c247fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c247fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==3747==ABORTING ``` It is acknowledged here(link: https://github.com/the-tcpdump-group/tcpdump/commit/ae83295915d08a854de27a88efac5dd7353e6d3f) that I (Bhargava Shastry) am the original reporter of the issue. To prove that this hackerone account belongs to me, I have hosted a file with the following message on my github page(link: https://bshastry.github.io/.well-known/hackerone.txt) hello @turtle_shell @hackerone If you have any further queries, please let me know. ## Impact I believe that information disclosure is possible.