Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]heap-buff-overflow in tcpreplay with get_next_packet() #619

Closed
zzuf666 opened this issue Oct 20, 2020 · 1 comment
Closed

[Bug]heap-buff-overflow in tcpreplay with get_next_packet() #619

zzuf666 opened this issue Oct 20, 2020 · 1 comment
Assignees
@fklassen
Labels
bug

Comments

@zzuf666
Copy link

zzuf666 commented Oct 20, 2020

Describe the bug
heap-buff-overflow in tcpreplay with get_next_packet()

ASAN report

=================================================================
==75256==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000210 at pc 0x000000495b27 bp 0x7ffd73bf07f0 sp 0x7ffd73beffb8
READ of size 74 at 0x603000000210 thread T0
    #0 0x495b26 in __asan_memcpy (/programs/tcpreplay/asan/usr/local/bin/tcpreplay+0x495b26)
    #1 0x4c7f74 in get_next_packet /programs/tcpreplay/tcpreplay-4.3.3/src/send_packets.c:1060:21
    #2 0x4c7724 in preload_pcap_file /programs/tcpreplay/tcpreplay-4.3.3/src/send_packets.c:442:23
    #3 0x4ce64c in main/programs/tcpreplay/tcpreplay-4.3.3/src/tcpreplay.c:126:13
    #4 0x7faac54110b2 in __libc_start_main /build/glibc-YYA7BZ/glibc-2.31/csu/../csu/libc-start.c:308:16
    #5 0x41c65d in _start (/programs/tcpreplay/asan/usr/local/bin/tcpreplay+0x41c65d)

0x603000000210 is located 0 bytes to the right of 32-byte region [0x6030000001f0,0x603000000210)
allocated by thread T0 here:
    #0 0x4969e9 in realloc (/programs/tcpreplay/asan/usr/local/bin/tcpreplay+0x4969e9)
    #1 0x7faac57bcd77  (/lib/x86_64-linux-gnu/libpcap.so.0.8+0x23d77)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/programs/tcpreplay/asan/usr/local/bin/tcpreplay+0x495b26) in __asan_memcpy
Shadow bytes around the buggy address:
  0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff8000: fa fa fd fd fd fa fa fa fd fd fd fd fa fa fd fd
  0x0c067fff8010: fd fd fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x0c067fff8020: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fd
  0x0c067fff8030: fa fa 00 00 02 fa fa fa fd fd fd fd fa fa 00 00
=>0x0c067fff8040: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==75256==ABORTING

To Reproduce
Steps to reproduce the behavior:

  1. install replay 4.3.3
  2. run replay as:
    tcpreplay -i eth0 -tK [poc_file]

Expected behavior
refuse abnormal input and exit, without throwing bug information

System

  • OS: Ubuntu_20.04.1 x86_64
  • Tcpreplay Version 4.3.3
    tcpreplay -V
    tcpreplay version: 4.3.3 (build git:v4.3.3)
    Copyright 2013-2018 by Fred Klassen <tcpreplay at appneta dot com> - AppNeta
    Copyright 2000-2012 by Aaron Turner <aturner at synfin dot net>
    The entire Tcpreplay Suite is licensed under the GPLv3
    Cache file supported: 04
    Not compiled with libdnet.
    Compiled against libpcap: 1.9.1
    64 bit packet counters: enabled
    Verbose printing via tcpdump: disabled
    Packet editing: disabled
    Fragroute engine: disabled
    Injection method: PF_PACKET send()
    Not compiled with netma

Additional context
poc_file
tcpreplay_crash_1.zip
@zzuf666 zzuf666 changed the title [Bug] [Bug]heap-buff-overflow in tcpreplay with get_next_packet() Oct 20, 2020
@fklassen fklassen self-assigned this Feb 24, 2021
@fklassen fklassen added the bug label Feb 24, 2021
fklassen added a commit that referenced this issue Mar 13, 2021
@fklassen
Bug #619 avoid copying uninitialized data while caching packets
ab6bd3a
fklassen added a commit that referenced this issue Mar 13, 2021
@fklassen
Merge pull request #639 from appneta/Bug_#619_buffer_overflow_get_nex…
93b7db1 
…t_packet

Bug #619 buffer overflow get_next_packet()
@fklassen
Copy link
Member

Fix use of len instead of caplen to prevent copying uninitialized data. Fixed in PR #639

@fklassen fklassen mentioned this issue Apr 25, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fklassen fklassen

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fklassen @zzuf666