I have found 2 bugs in pcapfix-1.1.7 by honggfuzz.
1- exceeds maximum in pcapng.c
The fuzzing report is as follows.
[] Reading from file: SIGSEGV-toomuchspace
[] Writing to file: fixed_SIGSEGV-toomuchspace
[] File size: 1538 bytes.
[+] This is a PCAPNG file.
[-] Unknown Byte Order Magic: 0x20747970 ==> CORRECTED.
[-] Major version number: 15437 ==> CORRECTED.
[-] Minor version number: 6699 ==> CORRECTED.
[-] Unknown option code: 0xffff (65535 bytes) ==> SKIPPING.
[-] Block size mismatch (0xffffffff != 0x000000ac) ==> CORRECTED.
[-] Found 914 bytes of unknown data ==> SKIPPING.
[] Progress: 61.51 %
[-] Missing IDB for Interface #0 ==> CREATING (#0).
[] Progress: 69.05 %
[-] Probably corrupted Interface ID #917504 (too high?) ==> CORRECTED.
[-] Missing IDB for Interface #1 ==> CREATING (#1).
[-] Enhanced packet data exceeds packet capture length (144839054 > 76) ==> CORRECTED.
[-] Block size mismatch (0x00000007 != 0x0000006c) ==> CORRECTED.
[-] Found 100 bytes of unknown data ==> SKIPPING.
[] Progress: 82.57 %
[-] Invalid Block size => CORRECTED.
==2193==ERROR: AddressSanitizer: requested allocation size 0xfffffffffffffffc (0x800 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0)
[Detaching after fork from child process 2197]
0 0x49647d in malloc (/home/kali/fuzzing_pcapfix/pcapfix-1.1.7/pcapfix+0x49647d)
#1 0x4d666f in fix_pcapng /home/kali/fuzzing_pcapfix/pcapfix-1.1.7/pcapng.c:678:16
#2 0x4c6d1e in main /home/kali/fuzzing_pcapfix/pcapfix-1.1.7/pcapfix.c
I think the flaw maybe within the fix_pcapng function(line number 678) in pcapng.c as follows. The range of the variable padding should be checked.
/* read packet data from input file */
data = malloc(padding); //line number 678
bytes = fread(data, padding, 1, pcap);
left -= padding;
2-stackoverflow in pcap.c
The fuzzing report is as follows.
[] Reading from file: SIGABRT-stackoverflow1
[] Writing to file: fixed_SIGABRT-stackoverflow1
[] File size: 262170 bytes.
[] Unknown file type. Assuming PCAP format.
[] Analyzing Global Header...
[-] The global pcap header seems to be missing ==> CORRECTED!
[] Analyzing packets...
[*] End of file reached. Aligning last packet.
==2496==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffda60 at pc 0x00000043429e bp 0x7ffffffbd850 sp 0x7ffffffbd018
WRITE of size 262154 at 0x7fffffffda60 thread T0
[Attaching after Thread 0x7ffff7c21800 (LWP 2496) fork to child process 2500]
[New inferior 2 (process 2500)]
[Detaching after fork from parent process 2496]
[Inferior 1 (process 2496) detached]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
process 2500 is executing new program: /usr/lib/llvm-11/bin/llvm-symbolizer
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
0 0x43429d in fread (/home/kali/fuzzing_pcapfix/pcapfix-1.1.7/pcapfix+0x43429d)
#1 0x4cb06f in fix_pcap_packets /home/kali/fuzzing_pcapfix/pcapfix-1.1.7/pcap.c:627:19
#2 0x4c8fb0 in fix_pcap /home/kali/fuzzing_pcapfix/pcapfix-1.1.7/pcap.c:353:9
#3 0x4c6dba in main /home/kali/fuzzing_pcapfix/pcapfix-1.1.7/pcapfix.c
#4 0x7ffff7c4a082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
I think the flaw maybe within the fix_pcap_packets function(line number 627) in pcap.c as follows.
/* read the packets body (size based on the just found next packets position) */
fseeko(pcap, pos+sizeof(packet_hdr), SEEK_SET);
bytes = fread(&buffer, conint(packet_hdr.incl_len), 1, pcap); //line number 627
I have found 2 bugs in pcapfix-1.1.7 by honggfuzz.
1- exceeds maximum in pcapng.c The fuzzing report is as follows.
[] Reading from file: SIGSEGV-toomuchspace [] Writing to file: fixed_SIGSEGV-toomuchspace [] File size: 1538 bytes. [+] This is a PCAPNG file. [-] Unknown Byte Order Magic: 0x20747970 ==> CORRECTED. [-] Major version number: 15437 ==> CORRECTED. [-] Minor version number: 6699 ==> CORRECTED. [-] Unknown option code: 0xffff (65535 bytes) ==> SKIPPING. [-] Block size mismatch (0xffffffff != 0x000000ac) ==> CORRECTED. [-] Found 914 bytes of unknown data ==> SKIPPING. [] Progress: 61.51 % [-] Missing IDB for Interface #0 ==> CREATING (#0). [] Progress: 69.05 % [-] Probably corrupted Interface ID #917504 (too high?) ==> CORRECTED. [-] Missing IDB for Interface #1 ==> CREATING (#1). [-] Enhanced packet data exceeds packet capture length (144839054 > 76) ==> CORRECTED. [-] Block size mismatch (0x00000007 != 0x0000006c) ==> CORRECTED. [-] Found 100 bytes of unknown data ==> SKIPPING. [] Progress: 82.57 % [-] Invalid Block size => CORRECTED.
==2193==ERROR: AddressSanitizer: requested allocation size 0xfffffffffffffffc (0x800 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0) [Detaching after fork from child process 2197]
0 0x49647d in malloc (/home/kali/fuzzing_pcapfix/pcapfix-1.1.7/pcapfix+0x49647d)
I think the flaw maybe within the fix_pcapng function(line number 678) in pcapng.c as follows. The range of the variable padding should be checked.
2-stackoverflow in pcap.c The fuzzing report is as follows.
[] Reading from file: SIGABRT-stackoverflow1 [] Writing to file: fixed_SIGABRT-stackoverflow1 [] File size: 262170 bytes. [] Unknown file type. Assuming PCAP format. [] Analyzing Global Header... [-] The global pcap header seems to be missing ==> CORRECTED! [] Analyzing packets... [*] End of file reached. Aligning last packet.
==2496==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffda60 at pc 0x00000043429e bp 0x7ffffffbd850 sp 0x7ffffffbd018 WRITE of size 262154 at 0x7fffffffda60 thread T0 [Attaching after Thread 0x7ffff7c21800 (LWP 2496) fork to child process 2500] [New inferior 2 (process 2500)] [Detaching after fork from parent process 2496] [Inferior 1 (process 2496) detached] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". process 2500 is executing new program: /usr/lib/llvm-11/bin/llvm-symbolizer [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
0 0x43429d in fread (/home/kali/fuzzing_pcapfix/pcapfix-1.1.7/pcapfix+0x43429d)
I think the flaw maybe within the fix_pcap_packets function(line number 627) in pcap.c as follows.