Describe the bug
Multi floating pointer error bugs were discovered in tcprewrite binary, during caculating the offset of the random segment. The issue can be triggered in the function fuzzing() at fuzzing.c:244,182,232.
To Reproduce
Steps to reproduce the behavior:
1. Compile tcpreplay according to the default configuration
Expected behavior
An attacker can exploit this vulnerability by submitting a malicious pcap that exploits this issue. This will result in a Denial of Service (DoS) when the application attempts to process the file.
When I audited the source code, I found several similar problems in the fuzzing.c file. Such in
line 182
uint32_t new_len = (r % ((l4len) - 1)) + 1;
line 232
uint32_t offset = ((r >> 16) % (l4len - 1)) + 1;
Besides, the static inline function fuzz_get_sgt_size also exists this problem, which may be called in fuzzing() function multi places.(although i didn't generate specific poc)
static inline int
fuzz_get_sgt_size(uint32_t r, uint32_t caplen)
{
if (0 == caplen)
return 0;
if (caplen <= SGT_MAX_SIZE)
/* packet too small, fuzzing only one byte */
return 1;
/* return random value between 1 and SGT_MAX_SIZE */
return (1 + (r % (SGT_MAX_SIZE - 1)));
}
System (please complete the following information):
- OS version : Ubuntu 16.04
- Tcpreplay Version : 4.3.2/master branch
Additional
Thanks to @fklassen for maintaining and patching tcpreplay-utils. I have carefully checked the issues I submitted in May(issue576-579), and they have been patched succesfully.
Describe the bug Multi floating pointer error bugs were discovered in tcprewrite binary, during caculating the offset of the random segment. The issue can be triggered in the function fuzzing() at fuzzing.c:244,182,232.
To Reproduce Steps to reproduce the behavior: 1. Compile tcpreplay according to the default configuration
2. execute command
poc can be found here.
Expected behavior An attacker can exploit this vulnerability by submitting a malicious pcap that exploits this issue. This will result in a Denial of Service (DoS) when the application attempts to process the file.
Screenshots
Possible causes of vulnerabilities: When calculate the size of segment, the modulo operation (l4len-1) may equals to 0.
When I audited the source code, I found several similar problems in the fuzzing.c file. Such in line 182
line 232
Besides, the static inline function fuzz_get_sgt_size also exists this problem, which may be called in fuzzing() function multi places.(although i didn't generate specific poc)
System (please complete the following information): - OS version : Ubuntu 16.04 - Tcpreplay Version : 4.3.2/master branch
Additional Thanks to @fklassen for maintaining and patching tcpreplay-utils. I have carefully checked the issues I submitted in May(issue576-579), and they have been patched succesfully.