VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 3, 2019· Updated Dec 3, 2025

lmp_print in tcpdump lacks certain boundary checks

CVE-2019-15166

Description

Missing bounds checks in tcpdump's LMP parser before 4.9.3 allow out-of-bounds reads via crafted packets, leading to crash or info disclosure.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Missing bounds checks in tcpdump's LMP parser before 4.9.3 allow out-of-bounds reads via crafted packets, leading to crash or info disclosure.

Vulnerability

In tcpdump versions prior to 4.9.3, the lmp_print_data_link_subobjs() function in print-lmp.c lacks bounds checks when parsing LMP data link subobjects. This allows out-of-bounds reads when processing crafted packets [4].

Exploitation

An attacker can send a specially crafted LMP packet over the network to a system running a vulnerable version of tcpdump. No authentication or special privileges are required; the attacker only needs to be able to send packets to the network interface being monitored. The victim's tcpdump process will read beyond allocated memory bounds.

Impact

Successful exploitation may cause tcpdump to crash (denial of service) or leak sensitive memory contents (information disclosure). The added bounds checks in the fix prevent these out-of-bounds accesses [4].

Mitigation

The vulnerability is fixed in tcpdump version 4.9.3, released on October 5, 2019. Users should upgrade to version 4.9.3 or later [4].

References
  1. (for 4.9.3) LMP: Add some missing bounds checks · the-tcpdump-group/tcpdump@0b661e0

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

11

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing bounds checks in lmp_print_data_link_subobjs() allow reading beyond captured packet data."

Attack vector

An attacker can craft a malformed LMP packet with truncated sub-objects that cause `lmp_print_data_link_subobjs()` to read beyond the captured packet data [ref_id=1]. The function reads sub-object fields (e.g., switching type, encoding type, wavelength, bandwidth) without first checking that the required bytes are present in the snapshot [ref_id=1]. When the packet is shorter than expected, the missing bounds checks lead to an out-of-bounds read, which can crash tcpdump or leak memory [ref_id=1]. The attacker only needs to send a single crafted UDP packet to a target running tcpdump and capturing LMP traffic.

Affected code

The vulnerability is in the `lmp_print_data_link_subobjs()` function in `print-lmp.c` [ref_id=1]. The function iterates over sub-objects in an LMP Data Link object but lacks bounds checks before reading fields such as sub-object type, length, switching type, encoding type, and bandwidth values [ref_id=1]. The patch adds `ND_TCHECK_*` macros at multiple read points to ensure the captured packet data is long enough before extraction [ref_id=1].

What the fix does

The patch adds `ND_TCHECK_16BITS`, `ND_TCHECK_8BITS`, and `ND_TCHECK_32BITS` calls before each field read in `lmp_print_data_link_subobjs()` [ref_id=1]. These macros verify that the specified number of bytes are available within the captured packet boundary before the data is extracted [ref_id=1]. If the check fails, control jumps to the `trunc` label, which now prints `[|LMP]` instead of the misleading `"packet exceeded snapshot"` message [ref_id=1]. This prevents out-of-bounds reads from truncated packets.

Preconditions

  • configTarget must be running a vulnerable version of tcpdump (before 4.9.3) and capturing LMP traffic
  • networkAttacker must be able to send a crafted UDP packet containing a malformed LMP Data Link sub-object to the target

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

16

News mentions

0

No linked articles in our index yet.