CVE-2018-16451
Description
Buffer over-read in tcpdump's SMB parser before 4.9.3 allows information disclosure or denial of service via crafted SMB packets.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Buffer over-read in tcpdump's SMB parser before 4.9.3 allows information disclosure or denial of service via crafted SMB packets.
Vulnerability
The SMB parser in tcpdump before version 4.9.3 contains buffer over-reads in the print_trans() function in print-smb.c. This occurs when processing crafted SMB packets for the named pipes \MAILSLOT\BROWSE and \PIPE\LANMAN. The over-read can be triggered by capturing or analyzing malicious network traffic or a crafted packet capture file using the vulnerable tcpdump binary.
Exploitation
An attacker does not require authentication or any special network position to exploit this vulnerability. By injecting a specially crafted SMB packet into network traffic that a victim monitors with tcpdump, or by supplying a malicious packet capture file for offline analysis, the attacker can trigger the buffer over-read. No user interaction beyond running tcpdump on the affected data is required.
Impact
Successful exploitation could lead to information disclosure (reading beyond the bounds of the intended buffer, potentially leaking sensitive memory contents) or denial of service via application crash. In some scenarios, the over-read may be leveraged for arbitrary code execution, as noted in the Debian security advisory [4].
Mitigation
The vulnerability is fixed in tcpdump 4.9.3 [4]. Debian has released updated packages for the oldstable (stretch) and stable (buster) distributions under DSA-4547-1 [4]. Users should upgrade to tcpdump version 4.9.3 or later. No workarounds are available; the only remedy is to apply the update.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
11- tcpdump/tcpdumpdescription
- osv-coords9 versionspkg:rpm/opensuse/tcpdump&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/tcpdump&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/tcpdump&distro=openSUSE%20Tumbleweedpkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015pkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP1pkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3pkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5
< 4.9.2-lp150.10.1+ 8 more
- (no CPE)range: < 4.9.2-lp150.10.1
- (no CPE)range: < 4.9.2-lp151.4.6.1
- (no CPE)range: < 4.99.1-1.2
- (no CPE)range: < 4.9.2-3.9.1
- (no CPE)range: < 4.9.2-3.9.1
- (no CPE)range: < 3.9.8-1.30.13.1
- (no CPE)range: < 3.9.8-1.30.13.1
- (no CPE)range: < 4.9.2-14.17.1
- (no CPE)range: < 4.9.2-14.17.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds checks before strcmp() calls in the SMB parser allow buffer over-reads."
Attack vector
An attacker crafts a malicious SMB packet with a `bcc` (byte count) field that is non-zero but whose actual payload is shorter than the string constants `"\\MAILSLOT\\BROWSE"` or `"\\PIPE\\LANMAN"`. When tcpdump's SMB parser reaches `print_trans()`, it calls `strcmp()` on `data1 + 2` without a prior bounds check, causing the function to read past the allocated buffer. This can lead to a crash or information disclosure when tcpdump processes the crafted packet [ref_id=1].
Affected code
The vulnerability resides in `print-smb.c` in the `print_trans()` function. The code performs `strcmp()` comparisons against the strings `"\\MAILSLOT\\BROWSE"` and `"\\PIPE\\LANMAN"` without first verifying that the input buffer `data1 + 2` contains at least as many bytes as those string constants, leading to a buffer over-read [ref_id=1].
What the fix does
The patch adds `ND_TCHECK2()` calls before each `strcmp()` to ensure the buffer contains at least `strlen(MAILSLOT_BROWSE_STR) + 1` and `strlen(PIPE_LANMAN_STR) + 1` bytes respectively. If the bounds check fails, `ND_TCHECK2` triggers an exception that safely aborts parsing rather than allowing an over-read. The string constants are also defined as macros to avoid duplication [ref_id=1].
Preconditions
- networkThe attacker must be able to send or inject a crafted SMB packet onto a network that tcpdump is monitoring.
- configThe target must be running a version of tcpdump prior to 4.9.3.
- inputThe crafted packet must have a non-zero bcc field but a payload shorter than the compared string constants.
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
16- lists.opensuse.org/opensuse-security-announce/2019-10/msg00050.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2019-10/msg00053.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/62XY42U6HY3H2APR5EHNWCZ7SAQNMMJN/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNYXF3IY2X65IOD422SA6EQUULSGW7FN/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R2UDPOSGVJQIYC33SQBXMDXHH4QDSDMU/mitrevendor-advisoryx_refsource_FEDORA
- usn.ubuntu.com/4252-1/mitrevendor-advisoryx_refsource_UBUNTU
- usn.ubuntu.com/4252-2/mitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2019/dsa-4547mitrevendor-advisoryx_refsource_DEBIAN
- seclists.org/fulldisclosure/2019/Dec/26mitremailing-listx_refsource_FULLDISC
- github.com/the-tcpdump-group/tcpdump/blob/tcpdump-4.9/CHANGESmitrex_refsource_MISC
- github.com/the-tcpdump-group/tcpdump/commit/96480ab95308cd9234b4f09b175ebf60e17792c6mitrex_refsource_CONFIRM
- lists.debian.org/debian-lts-announce/2019/10/msg00015.htmlmitremailing-listx_refsource_MLIST
- seclists.org/bugtraq/2019/Dec/23mitremailing-listx_refsource_BUGTRAQ
- seclists.org/bugtraq/2019/Oct/28mitremailing-listx_refsource_BUGTRAQ
- security.netapp.com/advisory/ntap-20200120-0001/mitrex_refsource_CONFIRM
- support.apple.com/kb/HT210788mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.