A deliberately malformed TCP SYN packet with option 20 (0x14) can cause the
filterlog daemon to crash with a segmentation fault, which causes all logging of
packets from firewall rules to cease.
Option 20 is SCPS-TP, which is a space communications version of TCP and not an
option typically found on the Internet in general. The SCPS Capabilities Option
should be sent in a TCP SYN packet and contain four fields of one byte each and
begin with 0x14 0x04 (Kind=20, Length=4).
A malformed packet that causes a segmentation fault in filterlog omits the two
mandatory fields "Capabilities Option Bit-Vector" and "Connection ID" and have
changes the option length to 0x02, which breaks the SCPS-TP standard but follows
the TCP Options standard in general. The packet passes TCP option parsers that
don't specifically care about SCPS-TP.
The packet processing code in filterlog, which comes directly from tcpdump,
incorrectly defines TCPOPT_AUTH to the wrong option. The switch case for
TCPOPT_AUTH in filterlog incorrectly subtracts from the option length, resulting
in a segmentation fault when next option is read.
A packet with the SCPS Capabilities option adhering to the standard should be 4
bytes long and will not trigger this bug. A shortened SPCS option must be
An affected version of filterlog which receives this malformed packet will crash,
which stops further logging, potentially denying access to information about a