search

appneta / tcpreplay

Pcap editing and replay tools for *NIX and Windows - Users please download source from
http://tcpreplay.appneta.com/wiki/installation.html#downloads
1.15k stars 268 forks source link

[Bug] heap-overflow in get.c:713 #734

Closed chluo1997 closed 1 year ago

chluo1997 commented 1 year ago

You are opening a bug report against the Tcpreplay project: we use GitHub Issues for tracking bug reports and feature requests.

If you have a question about how to use Tcpreplay, you are at the wrong site. You can ask a question on the tcpreplay-users mailing list or on Stack Overflow with [tcpreplay] tag. General help is available here.

If you have a build issue, consider downloading the latest release

Otherwise, to report a bug, please fill out the reproduction steps (below) and delete these introductory paragraphs. Thanks!

Describe the bug There is a heap-overflow bug in get_ipv6_next. Different from #718 (The crash point is in line 679, *((int*)((u_char *)exthdr + len))), this bug is triggered in line 713 (*((int*)((u_char *)exthdr + len)) > maxlen).

To Reproduce Steps to reproduce the behavior:

  1. export CC=clang && export CFLAGS="-fsanitize=address -g"
  2. ./autogen.sh && ./configure --disable-shared --disable-local-libopts && make clean && make -j8
  3. ./src/tcprewrite -o /dev/null -i POC

Expected behavior A clear and concise description of what you expected to happen. The program does not crash.

Screenshots

Screen Shot 2022-07-24 at 10 37 33

System (please complete the following information):

Additional context POC poc.zip

fklassen commented 1 year ago

Tested with #718 fix. It appears that it is fixed.