Honggfuzz report 1 exceeds-maximum bug and 1 stackoverflow bugs in pcapfix-1.1.7

[zyan008]

I have found 2 bugs in pcapfix-1.1.7 by honggfuzz.

1- exceeds maximum in pcapng.c The fuzzing report is as follows.

[] Reading from file: SIGSEGV-toomuchspace [] Writing to file: fixed_SIGSEGV-toomuchspace [] File size: 1538 bytes. [+] This is a PCAPNG file. [-] Unknown Byte Order Magic: 0x20747970 ==> CORRECTED. [-] Major version number: 15437 ==> CORRECTED. [-] Minor version number: 6699 ==> CORRECTED. [-] Unknown option code: 0xffff (65535 bytes) ==> SKIPPING. [-] Block size mismatch (0xffffffff != 0x000000ac) ==> CORRECTED. [-] Found 914 bytes of unknown data ==> SKIPPING. [] Progress: 61.51 % [-] Missing IDB for Interface #0 ==> CREATING (#0). [] Progress: 69.05 % [-] Probably corrupted Interface ID #917504 (too high?) ==> CORRECTED. [-] Missing IDB for Interface #1 ==> CREATING (#1). [-] Enhanced packet data exceeds packet capture length (144839054 > 76) ==> CORRECTED. [-] Block size mismatch (0x00000007 != 0x0000006c) ==> CORRECTED. [-] Found 100 bytes of unknown data ==> SKIPPING. [] Progress: 82.57 % [-] Invalid Block size => CORRECTED.

==2193==ERROR: AddressSanitizer: requested allocation size 0xfffffffffffffffc (0x800 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0) [Detaching after fork from child process 2197]

0 0x49647d in malloc (/home/kali/fuzzing_pcapfix/pcapfix-1.1.7/pcapfix+0x49647d)

#1 0x4d666f in fix_pcapng /home/kali/fuzzing_pcapfix/pcapfix-1.1.7/pcapng.c:678:16
#2 0x4c6d1e in main /home/kali/fuzzing_pcapfix/pcapfix-1.1.7/pcapfix.c

I think the flaw maybe within the fix_pcapng function(line number 678) in pcapng.c as follows. The range of the variable padding should be checked.

    /* read packet data from input file */
    data = malloc(padding);   //line number 678
    bytes = fread(data, padding, 1, pcap);
    left -= padding;

2-stackoverflow in pcap.c The fuzzing report is as follows.

[] Reading from file: SIGABRT-stackoverflow1 [] Writing to file: fixed_SIGABRT-stackoverflow1 [] File size: 262170 bytes. [] Unknown file type. Assuming PCAP format. [] Analyzing Global Header... [-] The global pcap header seems to be missing ==> CORRECTED! [] Analyzing packets... [*] End of file reached. Aligning last packet.

==2496==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffda60 at pc 0x00000043429e bp 0x7ffffffbd850 sp 0x7ffffffbd018 WRITE of size 262154 at 0x7fffffffda60 thread T0 [Attaching after Thread 0x7ffff7c21800 (LWP 2496) fork to child process 2500] [New inferior 2 (process 2500)] [Detaching after fork from parent process 2496] [Inferior 1 (process 2496) detached] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". process 2500 is executing new program: /usr/lib/llvm-11/bin/llvm-symbolizer [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

0 0x43429d in fread (/home/kali/fuzzing_pcapfix/pcapfix-1.1.7/pcapfix+0x43429d)

#1 0x4cb06f in fix_pcap_packets /home/kali/fuzzing_pcapfix/pcapfix-1.1.7/pcap.c:627:19
#2 0x4c8fb0 in fix_pcap /home/kali/fuzzing_pcapfix/pcapfix-1.1.7/pcap.c:353:9
#3 0x4c6dba in main /home/kali/fuzzing_pcapfix/pcapfix-1.1.7/pcapfix.c
#4 0x7ffff7c4a082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

I think the flaw maybe within the fix_pcap_packets function(line number 627) in pcap.c as follows.

      /* read the packets body (size based on the just found next packets position) */
      fseeko(pcap, pos+sizeof(packet_hdr), SEEK_SET);
      bytes = fread(&buffer, conint(packet_hdr.incl_len), 1, pcap);  //line number 627

[Rup0rt]

Thanks for reporting those issues! Can you please supply the pcap files you used to trigger the bugs?

[zyan008]

OK. This is the POC including these two flaws. POC.zip .