Marsman1996
commented
1 year ago This problem is because in dlt_jnpr_ether_cleanup(), the program does not check the subctx before calling the tcpedit_dlt_cleanup().
Closed Marsman1996 closed 1 year ago
Marsman1996
commented
1 year ago This problem is because in dlt_jnpr_ether_cleanup(), the program does not check the subctx before calling the tcpedit_dlt_cleanup().
fklassen
commented
1 year ago Thanks for the PR. Verified and targeted for v4.4.4
fklassen
commented
1 year ago Fixed in PR #780 and documented in PR #800.
ArchanaWind
commented
1 year ago Hi @Marsman1996 Is this bug is present tcpreplay-4.4.2 version as well ?
Thanks in advance
Marsman1996
commented
1 year ago Hi @Marsman1996 Is this bug is present tcpreplay-4.4.2 version as well ?
Thanks in advance
Hi @ArchanaWind
This bug is able to be triggered in tcpreplay-4.4.2.
I think it is reasonable since the check for config->subctx was not added.
Here is the test log:
❯ ./bin_normal/bin/tcprewrite --version
tcprewrite version: 4.4.2 (build git:v4.4.2)
Copyright 2013-2022 by Fred Klassen <tcpreplay at appneta dot com> - AppNeta
Copyright 2000-2012 by Aaron Turner <aturner at synfin dot net>
The entire Tcpreplay Suite is licensed under the GPLv3
Cache file supported: 04
Not compiled with libdnet.
Compiled against libpcap: 1.7.4
64 bit packet counters: enabled
Verbose printing via tcpdump: enabled
Fragroute engine: disabled
❯ gdb --args ./bin_normal/bin/tcprewrite --dlt="jnpr_eth" -i ./poc-tcprewrite-bcb107a-tcpedit_dlt_cleanup-assertion -o /dev/null
(gdb) r
Starting program: /opt/disk/marsman/tcpreplay/4.4.2/bin_normal/bin/tcprewrite --dlt=jnpr_eth -i ./poc-tcprewrite-bcb107a-tcpedit_dlt_cleanup-assertion -o /dev/null
Warning: ./poc-tcprewrite-bcb107a-tcpedit_dlt_cleanup-assertion was captured using a snaplen of 96 bytes. This may mean you have truncated packets.
tcprewrite: ../../../code/src/tcpedit/plugins/dlt_plugins.c:462: tcpedit_dlt_cleanup: Assertion `ctx' failed.
Program received signal SIGABRT, Aborted.
0x00007ffff7801438 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
54 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007ffff7801438 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1 0x00007ffff780303a in __GI_abort () at abort.c:89
#2 0x00007ffff77f9be7 in __assert_fail_base (fmt=<optimized out>, assertion=assertion@entry=0x423ffa "ctx", file=file@entry=0x424410 "../../../code/src/tcpedit/plugins/dlt_plugins.c", line=line@entry=462,
function=function@entry=0x4246f0 <__PRETTY_FUNCTION__.7825> "tcpedit_dlt_cleanup") at assert.c:92
#3 0x00007ffff77f9c92 in __GI___assert_fail (assertion=assertion@entry=0x423ffa "ctx", file=file@entry=0x424410 "../../../code/src/tcpedit/plugins/dlt_plugins.c", line=line@entry=462,
function=function@entry=0x4246f0 <__PRETTY_FUNCTION__.7825> "tcpedit_dlt_cleanup") at assert.c:101
#4 0x00000000004091d3 in tcpedit_dlt_cleanup (ctx=<optimized out>) at ../../../code/src/tcpedit/plugins/dlt_plugins.c:462
#5 0x000000000040ecf2 in dlt_jnpr_ether_cleanup (ctx=0x637e60) at ../../../code/src/tcpedit/plugins/dlt_jnpr_ether/jnpr_ether.c:171
#6 0x0000000000409136 in tcpedit_dlt_cleanup (ctx=0x637e60) at ../../../code/src/tcpedit/plugins/dlt_plugins.c:466
#7 0x00000000004044f3 in tcpedit_close (tcpedit_ex=tcpedit_ex@entry=0x635620 <tcpedit>) at ../../../code/src/tcpedit/tcpedit.c:599
#8 0x0000000000402a32 in main (argc=<optimized out>, argv=<optimized out>) at ../../code/src/tcprewrite.c:154
Describe the bug There is a reachable assertion in
tcpedit_dlt_cleanup()when when the user usestcprewriteto open a crafted pcap file inDLT_JUNIPER_ETHERmode.To Reproduce Steps to reproduce the behavior:
$ ./tcprewrite --dlt="jnpr_eth" -i $POC -o /dev/nullThe POC file could be downloaded here: POC fileExpected behavior Program reports assertion failure and is terminated.
The GDB report:
System (please complete the following information):