search

appneta / tcpreplay

Pcap editing and replay tools for *NIX and Windows - Users please download source from
http://tcpreplay.appneta.com/wiki/installation.html#downloads
1.15k stars 268 forks source link

[Bug] NULL Pointer Dereference in macinstring() at mac.c:120 #782

Closed Marsman1996 closed 1 year ago

Marsman1996 commented 1 year ago

Describe the bug There is a NULL Pointer Dereference in macinstring() when the user passes empty mac string to tcpprep in Source MAC split mode.

To Reproduce Steps to reproduce the behavior:

  1. Get the Tcpreplay source code and compile it. 
    $ ./configure
$ make
  2. Run Command $ ./tcpprep -e "" --pcap=./test.pcap --cachefile=/dev/null
    The file test.pcap is from tcpreplay codebase, which is located in test/test.pcap.

Expected behavior Program crashes with Segmentation fault.

The GDB report:

$ gdb --args ./bin_normal/bin/tcpprep -e "" --pcap=./code/test/test.pcap --cachefile=/dev/null

(gdb) r
Starting program: /home/ubuntu178/cvelibf/test/tcpreplay/latest/bin_normal/bin/tcpprep -e '' --pcap=./code/test/test.pcap --cachefile=/dev/null

Program received signal SIGSEGV, Segmentation fault.
0x0000555555562b50 in macinstring (macstring=0x55555558dbf0 "", mac=0x55555558f0e6 "\370\036\337\345\204:\b") at mac.c:120
120         if (strlen(tempstr)) {
(gdb) bt
#0  0x0000555555562b50 in macinstring (macstring=0x55555558dbf0 "", mac=0x55555558f0e6 "\370\036\337\345\204:\b") at mac.c:120
#1  0x00005555555596b6 in process_raw_packets (pcap=0x55555558ee40) at tcpprep.c:450
#2  0x0000555555558d23 in main (argc=5, argv=0x7fffffffc2d8) at tcpprep.c:144

The ASAN report:

$ ./bin_asan/bin/tcpprep -e "" --pcap=./code/test/test.pcap --cachefile=/dev/null
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3017398==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000516fd4 bp 0x7ffe41169c70 sp 0x7ffe41169b80 T0)
==3017398==The signal is caused by a READ memory access.
==3017398==Hint: address points to the zero page.
    #0 0x516fd4 in macinstring /home/ubuntu178/cvelibf/test/tcpreplay/latest/build_asan/src/common/../../../code/src/common/mac.c:120:9
    #1 0x4fe345 in process_raw_packets /home/ubuntu178/cvelibf/test/tcpreplay/latest/build_asan/src/../../code/src/tcpprep.c:450:25
    #2 0x4fe345 in main /home/ubuntu178/cvelibf/test/tcpreplay/latest/build_asan/src/../../code/src/tcpprep.c:144:23
    #3 0x7fb921f310b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #4 0x41f4ed in _start (/home/ubuntu178/cvelibf/test/tcpreplay/latest/bin_asan/bin/tcpprep+0x41f4ed)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/ubuntu178/cvelibf/test/tcpreplay/latest/build_asan/src/common/../../../code/src/common/mac.c:120:9 in macinstring
==3017398==ABORTING

System (please complete the following information):

./bin_normal/bin/tcprewrite -V
tcprewrite version: 4.4.3 (build git:v4.4.3)
Copyright 2013-2022 by Fred Klassen <tcpreplay at appneta dot com> - AppNeta
Copyright 2000-2012 by Aaron Turner <aturner at synfin dot net>
The entire Tcpreplay Suite is licensed under the GPLv3
Cache file supported: 04
Not compiled with libdnet.
Compiled against libpcap: 1.9.1
64 bit packet counters: enabled
Verbose printing via tcpdump: enabled
Fragroute engine: disabled
Marsman1996 commented 1 year ago

This crash is because the program does not check whether the string after the strtok_r() process is NULL.

783 could fix this.

fklassen commented 1 year ago

Fixed in PR #783