search

appneta / tcpreplay

Pcap editing and replay tools for *NIX and Windows - Users please download source from
http://tcpreplay.appneta.com/wiki/installation.html#downloads
1.15k stars 268 forks source link

[Bug] Reachable abort in tcpprep, packet2tree, src/tree.c:746, invoked by add_tree_ipv6, src/tree.c:570 #758

Closed waugustus closed 1 year ago

waugustus commented 1 year ago

Describe the bug There is a reachable assertion error in packet2tree, src/tree.c:746, invoked by add_tree_ipv6, src/tree.c:570, which is different from #756. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted pcap file.

To Reproduce Steps to reproduce the behavior:

  1. build with

    CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ./configure --prefix=$PWD/build_asan --disable-shared --enable-debug

  2. download the poc file

poc.zip

  1. run 
    ./build_asan/bin/tcpprep -a client -i poc -o /tmp/foo

Expected behavior

$ gdb  -batch -ex "run" -ex "bt" --args ./build_asan/bin/tcpprep -a client -i poc -o /tmp/foo
warning: Error disabling address space randomization: Operation not permitted
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Warning in tcpprep.c:main() line 105:
poc was captured using a snaplen of 96 bytes.  This may mean you have truncated packets.
tcpprep: tree.c:746: packet2tree: Assertion `l2len > 0' failed.

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50  ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007f1103ab2859 in __GI_abort () at abort.c:79
#2  0x00007f1103ab2729 in __assert_fail_base (fmt=0x7f1103c48588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x55a81b856500 "l2len > 0", file=0x55a81b855460 "tree.c", line=746, function=<optimized out>) at assert.c:92
#3  0x00007f1103ac3fd6 in __GI___assert_fail (assertion=0x55a81b856500 "l2len > 0", file=0x55a81b855460 "tree.c", line=746, function=0x55a81b856e80 <__PRETTY_FUNCTION__.9829> "packet2tree") at assert.c:101
#4  0x000055a81b807bd8 in packet2tree (data=0x608000000020 "d", len=74, datalink=12) at tree.c:746
#5  0x000055a81b806692 in add_tree_ipv6 (addr=0x608000000028, data=0x608000000020 "d", len=74, datalink=12) at tree.c:570
#6  0x000055a81b7fe525 in process_raw_packets (pcap=0x617000000080) at tcpprep.c:469
#7  0x000055a81b7fc28e in main (argc=7, argv=0x7ffd1185d6a8) at tcpprep.c:144

System (please complete the following information):

Additional context The crash point was invoked by add_tree_ipv6, src/tree.c:570, which is different from #756.

fklassen commented 1 year ago

Closing as a duplicate of #756. This issue and #756 have tree.c:764 in common. Verified that the fix applies to this bug report.