Describe the bug
There is a NULL Pointer Dereference in macinstring() when the user passes empty mac string to tcpprep in Source MAC split mode.
To Reproduce
Steps to reproduce the behavior:
Get the Tcpreplay source code and compile it.
$ ./configure
$ make
Run Command $ ./tcpprep -e "" --pcap=./test.pcap --cachefile=/dev/null
The file test.pcap is from tcpreplay codebase, which is located in test/test.pcap.
Expected behavior
Program crashes with Segmentation fault.
The GDB report:
$ gdb --args ./bin_normal/bin/tcpprep -e "" --pcap=./code/test/test.pcap --cachefile=/dev/null
(gdb) r
Starting program: /home/ubuntu178/cvelibf/test/tcpreplay/latest/bin_normal/bin/tcpprep -e '' --pcap=./code/test/test.pcap --cachefile=/dev/null
Program received signal SIGSEGV, Segmentation fault.
0x0000555555562b50 in macinstring (macstring=0x55555558dbf0 "", mac=0x55555558f0e6 "\370\036\337\345\204:\b") at mac.c:120
120 if (strlen(tempstr)) {
(gdb) bt
#0 0x0000555555562b50 in macinstring (macstring=0x55555558dbf0 "", mac=0x55555558f0e6 "\370\036\337\345\204:\b") at mac.c:120
#1 0x00005555555596b6 in process_raw_packets (pcap=0x55555558ee40) at tcpprep.c:450
#2 0x0000555555558d23 in main (argc=5, argv=0x7fffffffc2d8) at tcpprep.c:144
The ASAN report:
$ ./bin_asan/bin/tcpprep -e "" --pcap=./code/test/test.pcap --cachefile=/dev/null
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3017398==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000516fd4 bp 0x7ffe41169c70 sp 0x7ffe41169b80 T0)
==3017398==The signal is caused by a READ memory access.
==3017398==Hint: address points to the zero page.
#0 0x516fd4 in macinstring /home/ubuntu178/cvelibf/test/tcpreplay/latest/build_asan/src/common/../../../code/src/common/mac.c:120:9
#1 0x4fe345 in process_raw_packets /home/ubuntu178/cvelibf/test/tcpreplay/latest/build_asan/src/../../code/src/tcpprep.c:450:25
#2 0x4fe345 in main /home/ubuntu178/cvelibf/test/tcpreplay/latest/build_asan/src/../../code/src/tcpprep.c:144:23
#3 0x7fb921f310b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#4 0x41f4ed in _start (/home/ubuntu178/cvelibf/test/tcpreplay/latest/bin_asan/bin/tcpprep+0x41f4ed)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/ubuntu178/cvelibf/test/tcpreplay/latest/build_asan/src/common/../../../code/src/common/mac.c:120:9 in macinstring
==3017398==ABORTING
System (please complete the following information):
OS: Ubuntu
OS version: 20.04, 64 bit
Tcpreplay Version: master bcb107a
./bin_normal/bin/tcprewrite -V
tcprewrite version: 4.4.3 (build git:v4.4.3)
Copyright 2013-2022 by Fred Klassen <tcpreplay at appneta dot com> - AppNeta
Copyright 2000-2012 by Aaron Turner <aturner at synfin dot net>
The entire Tcpreplay Suite is licensed under the GPLv3
Cache file supported: 04
Not compiled with libdnet.
Compiled against libpcap: 1.9.1
64 bit packet counters: enabled
Verbose printing via tcpdump: enabled
Fragroute engine: disabled
Describe the bug There is a NULL Pointer Dereference in
macinstring()
when the user passes empty mac string totcpprep
in Source MAC split mode.To Reproduce Steps to reproduce the behavior:
$ ./tcpprep -e "" --pcap=./test.pcap --cachefile=/dev/null
The file
test.pcap
is from tcpreplay codebase, which is located intest/test.pcap
.Expected behavior Program crashes with Segmentation fault.
The GDB report:
The ASAN report:
System (please complete the following information):