Patch by Robert Scheck for dsniff >= 2.4b1 which fixes possible segmentation faults of arpspoof, sshmitm, webmitm and webspy if any non- resolving hostname is passed. Issue was introduced by dsniff-2.4-libnet_11.patch; libnet_name_resolve() was replaced by libnet_name2addr4() while there must be the structure libnet_t passed additionally. And if that structure is not initialized using libnet_init() and the passed name can't be resolved (like "192.168.2."), it causes a snprintf() to NULL and thus the segmentation fault. Note that macof isn't affected as no resolving was involved here ever. Please also have a look to Red Hat Bugzilla ID #1009879 for further information. --- dsniff-2.4/sshmitm.c 2013-12-20 21:19:58.000000000 +0100 +++ dsniff-2.4/sshmitm.c.libnet_name2addr4 2013-12-20 21:29:44.000000000 +0100 @@ -45,6 +45,8 @@ struct sockaddr_in csin, ssin; int sig_pipe[2]; +static libnet_t *l; + static void usage(void) { @@ -364,6 +366,7 @@ u_long ip; u_short lport, rport; int c; + char libnet_ebuf[LIBNET_ERRBUF_SIZE]; lport = rport = 22; @@ -390,12 +393,15 @@ if (argc < 1) usage(); - if ((ip = libnet_name2addr4(NULL, argv[0], LIBNET_RESOLVE)) == -1) - usage(); - if (argc == 2 && (rport = atoi(argv[1])) == 0) usage(); + if ((l = libnet_init(LIBNET_LINK, NULL, libnet_ebuf)) == NULL) + errx(1, "%s", libnet_ebuf); + + if ((ip = libnet_name2addr4(l, argv[0], LIBNET_RESOLVE)) == -1) + usage(); + record_init(NULL); mitm_init(lport, ip, rport); --- dsniff-2.4/webmitm.c 2013-12-20 21:19:58.000000000 +0100 +++ dsniff-2.4/webmitm.c.libnet_name2addr4 2013-12-20 21:40:09.000000000 +0100 @@ -47,6 +47,8 @@ int do_ssl, sig_pipe[2]; in_addr_t static_host = 0; +static libnet_t *l; + extern int decode_http(char *, int, char *, int); static void @@ -242,7 +244,7 @@ word = buf_tok(&msg, "/", 1); vhost = buf_strdup(word); } - ssin.sin_addr.s_addr = libnet_name2addr4(NULL, vhost, 1); + ssin.sin_addr.s_addr = libnet_name2addr4(l, vhost, LIBNET_RESOLVE); free(vhost); if (ssin.sin_addr.s_addr == ntohl(INADDR_LOOPBACK) || @@ -496,6 +498,7 @@ extern char *optarg; extern int optind; int c; + char libnet_ebuf[LIBNET_ERRBUF_SIZE]; while ((c = getopt(argc, argv, "dh?V")) != -1) { switch (c) { @@ -509,8 +512,11 @@ argc -= optind; argv += optind; + if ((l = libnet_init(LIBNET_LINK, NULL, libnet_ebuf)) == NULL) + errx(1, "%s", libnet_ebuf); + if (argc == 1) { - if ((static_host = libnet_name2addr4(NULL, argv[0], 1)) == -1) + if ((static_host = libnet_name2addr4(l, argv[0], LIBNET_RESOLVE)) == -1) usage(); } else if (argc != 0) usage(); --- dsniff-2.4/webspy.c 2013-12-20 21:19:58.000000000 +0100 +++ dsniff-2.4/webspy.c.libnet_name2addr4 2013-12-20 21:45:57.000000000 +0100 @@ -33,6 +33,7 @@ extern int mozilla_remote_commands (Display *, Window, char **); char *expected_mozilla_version = "4.7"; char *progname = "webspy"; +static libnet_t *l; Display *dpy; char cmd[2048], *cmdtab[2]; @@ -183,6 +184,7 @@ extern char *optarg; extern int optind; int c; + char libnet_ebuf[LIBNET_ERRBUF_SIZE]; while ((c = getopt(argc, argv, "i:p:h?V")) != -1) { switch (c) { @@ -205,7 +207,10 @@ cmdtab[0] = cmd; cmdtab[1] = NULL; - if ((host = libnet_name2addr4(NULL, argv[0], 1)) == -1) + if ((l = libnet_init(LIBNET_LINK, NULL, libnet_ebuf)) == NULL) + errx(1, "%s", libnet_ebuf); + + if ((host = libnet_name2addr4(l, argv[0], LIBNET_RESOLVE)) == -1) errx(1, "unknown host"); if ((dpy = XOpenDisplay(NULL)) == NULL) --- dsniff-2.4/arpspoof.c 2013-12-20 22:00:53.000000000 +0100 +++ dsniff-2.4/arpspoof.c.libnet_name2addr4 2013-12-20 22:00:38.000000000 +0100 @@ -207,6 +207,9 @@ /* allocate enough memory for target list */ targets = calloc( argc+1, sizeof(struct host) ); + if ((l = libnet_init(LIBNET_LINK, NULL, libnet_ebuf)) == NULL) + errx(1, "%s", libnet_ebuf); + while ((c = getopt(argc, argv, "ri:t:c:h?V")) != -1) { switch (c) { case 'i': @@ -263,6 +266,8 @@ if ((spoof.ip = libnet_name2addr4(l, argv[0], LIBNET_RESOLVE)) == -1) usage(); + libnet_destroy(l); + if (intf == NULL && (intf = pcap_lookupdev(pcap_ebuf)) == NULL) errx(1, "%s", pcap_ebuf);