Closed iskindar closed 1 month ago
@fklassen, it seems that somehow freeing of sub-contexts actually frees something that gets freed again (not that I really understand the code). This particular plugin is calling these sub-context de-allocations, which then get called again.
Are sub-contexts copies of contexts and setting pointers of allocated memory to NULL in these copies isn't reflected in the originals, causing double free?
It looks this got CVE-2023-4256 assigned.
Hi,
I had a look and it seems that juniper has an exception in the way the plugins works with regard to the extra buffer in question: tcpreplay works with the assumption that there only ever is a single link layer plugin which is mostly true except here: Juniper has a special call to tcpedit_dlt_copy_decoder_state()
which causes the ctx and subctx to share a reference to the decoded_extra
buffer, and the double call through the backtrace as said in this description indeed causes the issue.
I also note that the plugin architecture is quite nice and should absolutely allow juniper to work as it does. I mean it would be a shame to break it IMHO.
Since each plugin is working with the assumption that it owns the decoded_extra
buffer, I suggest to just give each one its own. That would cost a bit more, but not significantly so, and it would also enable the ability to rewrite one link layer into another.
I won't have much time to work on this next month, but I'm willing to work on this after if you want.
Also, this CVE does not seem that bad to me, but if I'm wrong I believe you could use 5ad9d1d701e644ed5b8821456e31acf2e72920c to work around this issue safely.
Fixed by #855
Reopening. It appears that the #855 fix has introduced some memory leaks:
../configure --with-testnic=enp0s5 --with-testnic2=enp0s5 --enable-asan
$ make
$ sudo make test
echo Making test in ./test
Making test in ./test
cd ./test && make test
make[1]: Entering directory '/home/parallels/git/tcpreplay/build/test'
NOTICE: Tests must be run as root
Sending traffic on 'enp0s5' and 'enp0s5'
[tcpprep] Auto/Router mode test: OK
[tcpprep] Auto/Bridge mode test: OK
[tcpprep] Auto/Client mode test: OK
[tcpprep] Auto/Server mode test: OK
[tcpprep] Auto/First mode test: OK
[tcpprep] CIDR mode test: OK
[tcpprep] Regex mode test: make[1]: *** [Makefile:737: regex] Error 1
[tcpprep] Port mode test: OK
[tcpprep] MAC mode test: OK
[tcpprep] Comment mode test: OK
[tcpprep] Print info mode test: OK
[tcpprep] Print comment mode test: OK
[tcpprep] Config mode test: OK
[tcpprep] MAC reverse mode test: OK
[tcpprep] CIDR reverse mode test: OK
[tcpprep] Regex reverse mode test: make[1]: *** [Makefile:783: regex_reverse] Error 1
[tcpprep] exclude packets test: make[1]: *** [Makefile:804: exclude_packets] Error 1
[tcpprep] include packets test: make[1]: *** [Makefile:811: include_packets] Error 1
[tcpprep] include source test: make[1]: *** [Makefile:818: include_source] Error 1
[tcpprep] include destination test: make[1]: *** [Makefile:825: include_dest] Error 1
[tcpreplay] Basic test: OK
[tcpreplay] Nano timer test: OK
[tcpreplay] Cache test: OK
[tcpreplay] Packets/sec test: OK
[tcpreplay] Mbps test: OK
[tcpreplay] Topspeed test: OK
[tcpreplay] Config file/VLAN add test: OK
[tcpreplay] Multiplier test: OK
[tcpreplay] Packets/sec Multiplier test: OK
[tcpreplay] Precache test: OK
[tcpreplay] Statistics test: OK
[tcpreplay] Dual file test: OK
[tcpreplay] Maximum sleep test: OK
[tcprewrite] Portmap test: make[1]: *** [Makefile:862: rewrite_portmap] Error 1
[tcprewrite] Portmap range test: make[1]: *** [Makefile:870: rewrite_range_portmap] Error 1
[tcprewrite] Endpoint test: make[1]: *** [Makefile:886: rewrite_endpoint] Error 1
[tcprewrite] Pseudo NAT test: make[1]: *** [Makefile:895: rewrite_pnat] Error 1
[tcprewrite] Truncate test: make[1]: *** [Makefile:942: rewrite_trunc] Error 1
[tcprewrite] Pad test: make[1]: *** [Makefile:950: rewrite_pad] Error 1
[tcprewrite] Seed IP test: make[1]: *** [Makefile:958: rewrite_seed] Error 1
[tcprewrite] Src/Dst MAC test: make[1]: *** [Makefile:904: rewrite_mac] Error 1
[tcprewrite] Layer2 test: make[1]: *** [Makefile:966: rewrite_layer2] Error 1
[tcprewrite] Config/VLAN Add test: make[1]: *** [Makefile:975: rewrite_config] Error 1
[tcprewrite] Skip bcast test: make[1]: *** [Makefile:983: rewrite_skip] Error 1
[tcprewrite] DLT User test: make[1]: *** [Makefile:994: rewrite_dltuser] Error 1
[tcprewrite] DLT Cisco HDLC test: make[1]: *** [Makefile:1003: rewrite_dlthdlc] Error 1
[tcprewrite] VLAN 802.1ad test:
=================================================================
==377184==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 112 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf64c in our_safe_malloc ../../../src/common/utils.c:42
#2 0xaaaaadfacaec in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:129
#3 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#4 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#5 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#6 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#7 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 144 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf64c in our_safe_malloc ../../../src/common/utils.c:42
#2 0xaaaaadfacfd8 in tcpedit_dlt_newplugin ../../../src/tcpedit/plugins/dlt_utils.c:105
#3 0xaaaaadfb7dcc in dlt_ieee80211_register ../../../src/tcpedit/plugins/dlt_ieee80211/ieee80211.c:58
#4 0xaaaaadfabab8 in tcpedit_dlt_register ../../../src/tcpedit/plugins/dlt_plugins.c:62
#5 0xaaaaadfacb0c in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:140
#6 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#7 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#8 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#9 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#10 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 144 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf64c in our_safe_malloc ../../../src/common/utils.c:42
#2 0xaaaaadfacfd8 in tcpedit_dlt_newplugin ../../../src/tcpedit/plugins/dlt_utils.c:105
#3 0xaaaaadfbab88 in dlt_pppserial_register ../../../src/tcpedit/plugins/dlt_pppserial/pppserial.c:61
#4 0xaaaaadfabadc in tcpedit_dlt_register ../../../src/tcpedit/plugins/dlt_plugins.c:65
#5 0xaaaaadfacb0c in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:140
#6 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#7 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#8 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#9 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#10 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 144 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf64c in our_safe_malloc ../../../src/common/utils.c:42
#2 0xaaaaadfacfd8 in tcpedit_dlt_newplugin ../../../src/tcpedit/plugins/dlt_utils.c:105
#3 0xaaaaadfb6fb8 in dlt_linuxsll2_register ../../../src/tcpedit/plugins/dlt_linuxsll2/linuxsll2.c:55
#4 0xaaaaadfabaac in tcpedit_dlt_register ../../../src/tcpedit/plugins/dlt_plugins.c:61
#5 0xaaaaadfacb0c in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:140
#6 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#7 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#8 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#9 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#10 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 144 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf64c in our_safe_malloc ../../../src/common/utils.c:42
#2 0xaaaaadfacfd8 in tcpedit_dlt_newplugin ../../../src/tcpedit/plugins/dlt_utils.c:105
#3 0xaaaaadfb5108 in dlt_null_register ../../../src/tcpedit/plugins/dlt_null/null.c:68
#4 0xaaaaadfaba88 in tcpedit_dlt_register ../../../src/tcpedit/plugins/dlt_plugins.c:58
#5 0xaaaaadfacb0c in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:140
#6 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#7 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#8 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#9 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#10 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 144 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf64c in our_safe_malloc ../../../src/common/utils.c:42
#2 0xaaaaadfacfd8 in tcpedit_dlt_newplugin ../../../src/tcpedit/plugins/dlt_utils.c:105
#3 0xaaaaadfb4738 in dlt_raw_register ../../../src/tcpedit/plugins/dlt_raw/raw.c:54
#4 0xaaaaadfaba7c in tcpedit_dlt_register ../../../src/tcpedit/plugins/dlt_plugins.c:57
#5 0xaaaaadfacb0c in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:140
#6 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#7 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#8 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#9 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#10 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 144 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf64c in our_safe_malloc ../../../src/common/utils.c:42
#2 0xaaaaadfacfd8 in tcpedit_dlt_newplugin ../../../src/tcpedit/plugins/dlt_utils.c:105
#3 0xaaaaadfb5614 in dlt_loop_register ../../../src/tcpedit/plugins/dlt_loop/loop.c:57
#4 0xaaaaadfaba94 in tcpedit_dlt_register ../../../src/tcpedit/plugins/dlt_plugins.c:59
#5 0xaaaaadfacb0c in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:140
#6 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#7 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#8 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#9 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#10 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 144 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf64c in our_safe_malloc ../../../src/common/utils.c:42
#2 0xaaaaadfacfd8 in tcpedit_dlt_newplugin ../../../src/tcpedit/plugins/dlt_utils.c:105
#3 0xaaaaadfb05bc in dlt_en10mb_register ../../../src/tcpedit/plugins/dlt_en10mb/en10mb.c:51
#4 0xaaaaadfaba58 in tcpedit_dlt_register ../../../src/tcpedit/plugins/dlt_plugins.c:54
#5 0xaaaaadfacb0c in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:140
#6 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#7 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#8 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#9 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#10 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 144 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf64c in our_safe_malloc ../../../src/common/utils.c:42
#2 0xaaaaadfacfd8 in tcpedit_dlt_newplugin ../../../src/tcpedit/plugins/dlt_utils.c:105
#3 0xaaaaadfb629c in dlt_linuxsll_register ../../../src/tcpedit/plugins/dlt_linuxsll/linuxsll.c:51
#4 0xaaaaadfabaa0 in tcpedit_dlt_register ../../../src/tcpedit/plugins/dlt_plugins.c:60
#5 0xaaaaadfacb0c in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:140
#6 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#7 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#8 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#9 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#10 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 144 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf64c in our_safe_malloc ../../../src/common/utils.c:42
#2 0xaaaaadfacfd8 in tcpedit_dlt_newplugin ../../../src/tcpedit/plugins/dlt_utils.c:105
#3 0xaaaaadfb3c48 in dlt_user_register ../../../src/tcpedit/plugins/dlt_user/user.c:50
#4 0xaaaaadfaba70 in tcpedit_dlt_register ../../../src/tcpedit/plugins/dlt_plugins.c:56
#5 0xaaaaadfacb0c in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:140
#6 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#7 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#8 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#9 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#10 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 144 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf64c in our_safe_malloc ../../../src/common/utils.c:42
#2 0xaaaaadfacfd8 in tcpedit_dlt_newplugin ../../../src/tcpedit/plugins/dlt_utils.c:105
#3 0xaaaaadfb2ae4 in dlt_hdlc_register ../../../src/tcpedit/plugins/dlt_hdlc/hdlc.c:50
#4 0xaaaaadfaba64 in tcpedit_dlt_register ../../../src/tcpedit/plugins/dlt_plugins.c:55
#5 0xaaaaadfacb0c in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:140
#6 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#7 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#8 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#9 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#10 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 144 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf64c in our_safe_malloc ../../../src/common/utils.c:42
#2 0xaaaaadfacfd8 in tcpedit_dlt_newplugin ../../../src/tcpedit/plugins/dlt_utils.c:105
#3 0xaaaaadfb8a5c in dlt_radiotap_register ../../../src/tcpedit/plugins/dlt_radiotap/radiotap.c:60
#4 0xaaaaadfabac4 in tcpedit_dlt_register ../../../src/tcpedit/plugins/dlt_plugins.c:63
#5 0xaaaaadfacb0c in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:140
#6 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#7 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#8 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#9 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#10 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 144 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf64c in our_safe_malloc ../../../src/common/utils.c:42
#2 0xaaaaadfacfd8 in tcpedit_dlt_newplugin ../../../src/tcpedit/plugins/dlt_utils.c:105
#3 0xaaaaadfba100 in dlt_jnpr_ether_register ../../../src/tcpedit/plugins/dlt_jnpr_ether/jnpr_ether.c:64
#4 0xaaaaadfabad0 in tcpedit_dlt_register ../../../src/tcpedit/plugins/dlt_plugins.c:64
#5 0xaaaaadfacb0c in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:140
#6 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#7 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#8 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#9 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#10 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 112 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf64c in our_safe_malloc ../../../src/common/utils.c:42
#2 0xaaaaadfad928 in dlt_en10mb_init ../../../src/tcpedit/plugins/dlt_en10mb/en10mb.c:113
#3 0xaaaaadfacbd8 in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:159
#4 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#5 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#6 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#7 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#8 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 20 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf64c in our_safe_malloc ../../../src/common/utils.c:42
#2 0xaaaaadfadafc in dlt_en10mb_init ../../../src/tcpedit/plugins/dlt_en10mb/en10mb.c:109
#3 0xaaaaadfacbd8 in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:159
#4 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#5 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#6 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#7 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#8 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 10 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf78c in our_safe_strdup ../../../src/common/utils.c:90
#2 0xaaaaadfb7038 in dlt_linuxsll2_register ../../../src/tcpedit/plugins/dlt_linuxsll2/linuxsll2.c:66
#3 0xaaaaadfabaac in tcpedit_dlt_register ../../../src/tcpedit/plugins/dlt_plugins.c:61
#4 0xaaaaadfacb0c in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:140
#5 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#6 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#7 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#8 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#9 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 10 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf78c in our_safe_strdup ../../../src/common/utils.c:90
#2 0xaaaaadfbac04 in dlt_pppserial_register ../../../src/tcpedit/plugins/dlt_pppserial/pppserial.c:71
#3 0xaaaaadfabadc in tcpedit_dlt_register ../../../src/tcpedit/plugins/dlt_plugins.c:65
#4 0xaaaaadfacb0c in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:140
#5 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#6 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#7 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#8 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#9 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 10 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf78c in our_safe_strdup ../../../src/common/utils.c:90
#2 0xaaaaadfb7e48 in dlt_ieee80211_register ../../../src/tcpedit/plugins/dlt_ieee80211/ieee80211.c:70
#3 0xaaaaadfabab8 in tcpedit_dlt_register ../../../src/tcpedit/plugins/dlt_plugins.c:62
#4 0xaaaaadfacb0c in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:140
#5 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#6 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#7 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#8 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#9 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 9 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf78c in our_safe_strdup ../../../src/common/utils.c:90
#2 0xaaaaadfb8ad8 in dlt_radiotap_register ../../../src/tcpedit/plugins/dlt_radiotap/radiotap.c:72
#3 0xaaaaadfabac4 in tcpedit_dlt_register ../../../src/tcpedit/plugins/dlt_plugins.c:63
#4 0xaaaaadfacb0c in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:140
#5 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#6 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#7 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#8 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#9 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 9 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf78c in our_safe_strdup ../../../src/common/utils.c:90
#2 0xaaaaadfb631c in dlt_linuxsll_register ../../../src/tcpedit/plugins/dlt_linuxsll/linuxsll.c:63
#3 0xaaaaadfabaa0 in tcpedit_dlt_register ../../../src/tcpedit/plugins/dlt_plugins.c:60
#4 0xaaaaadfacb0c in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:140
#5 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#6 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#7 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#8 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#9 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 9 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf78c in our_safe_strdup ../../../src/common/utils.c:90
#2 0xaaaaadfba1a0 in dlt_jnpr_ether_register ../../../src/tcpedit/plugins/dlt_jnpr_ether/jnpr_ether.c:75
#3 0xaaaaadfabad0 in tcpedit_dlt_register ../../../src/tcpedit/plugins/dlt_plugins.c:64
#4 0xaaaaadfacb0c in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:140
#5 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#6 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#7 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#8 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#9 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 5 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf78c in our_safe_strdup ../../../src/common/utils.c:90
#2 0xaaaaadfb0668 in dlt_en10mb_register ../../../src/tcpedit/plugins/dlt_en10mb/en10mb.c:61
#3 0xaaaaadfaba58 in tcpedit_dlt_register ../../../src/tcpedit/plugins/dlt_plugins.c:54
#4 0xaaaaadfacb0c in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:140
#5 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#6 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#7 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#8 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#9 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 5 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf78c in our_safe_strdup ../../../src/common/utils.c:90
#2 0xaaaaadfb2b90 in dlt_hdlc_register ../../../src/tcpedit/plugins/dlt_hdlc/hdlc.c:62
#3 0xaaaaadfaba64 in tcpedit_dlt_register ../../../src/tcpedit/plugins/dlt_plugins.c:55
#4 0xaaaaadfacb0c in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:140
#5 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#6 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#7 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#8 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#9 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 5 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf78c in our_safe_strdup ../../../src/common/utils.c:90
#2 0xaaaaadfb3cc8 in dlt_user_register ../../../src/tcpedit/plugins/dlt_user/user.c:62
#3 0xaaaaadfaba70 in tcpedit_dlt_register ../../../src/tcpedit/plugins/dlt_plugins.c:56
#4 0xaaaaadfacb0c in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:140
#5 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#6 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#7 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#8 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#9 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 5 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf78c in our_safe_strdup ../../../src/common/utils.c:90
#2 0xaaaaadfb5184 in dlt_null_register ../../../src/tcpedit/plugins/dlt_null/null.c:80
#3 0xaaaaadfaba88 in tcpedit_dlt_register ../../../src/tcpedit/plugins/dlt_plugins.c:58
#4 0xaaaaadfacb0c in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:140
#5 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#6 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#7 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#8 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#9 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 5 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf78c in our_safe_strdup ../../../src/common/utils.c:90
#2 0xaaaaadfb5694 in dlt_loop_register ../../../src/tcpedit/plugins/dlt_loop/loop.c:69
#3 0xaaaaadfaba94 in tcpedit_dlt_register ../../../src/tcpedit/plugins/dlt_plugins.c:59
#4 0xaaaaadfacb0c in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:140
#5 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#6 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#7 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#8 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#9 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 4 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf78c in our_safe_strdup ../../../src/common/utils.c:90
#2 0xaaaaadfb47b8 in dlt_raw_register ../../../src/tcpedit/plugins/dlt_raw/raw.c:63
#3 0xaaaaadfaba7c in tcpedit_dlt_register ../../../src/tcpedit/plugins/dlt_plugins.c:57
#4 0xaaaaadfacb0c in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:140
#5 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#6 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#7 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#8 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#9 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
SUMMARY: AddressSanitizer: 2058 byte(s) leaked in 27 allocation(s).
make[1]: *** [Makefile:1012: rewrite_vlan802.1ad] Error 1
[tcprewrite] VLAN Delete test: make[1]: *** [Makefile:1022: rewrite_vlandel] Error 1
[tcprewrite] Remove EFCS: make[1]: *** [Makefile:1031: rewrite_efcs] Error 1
[tcprewrite] Force TTL: make[1]: *** [Makefile:1039: rewrite_1ttl] Error 1
[tcprewrite] Increase TTL: make[1]: *** [Makefile:1047: rewrite_2ttl] Error 1
[tcprewrite] Reduce TTL: make[1]: *** [Makefile:1055: rewrite_3ttl] Error 1
[tcprewrite] Force TTL with header fix: make[1]: *** [Makefile:1063: rewrite_1ttl-hdrfix] Error 1
[tcprewrite] Increase TTL with header fix:make[1]: *** [Makefile:1071: rewrite_2ttl-hdrfix] Error 1
[tcprewrite] Reduce TTL with header fix: make[1]: *** [Makefile:1079: rewrite_3ttl-hdrfix] Error 1
[tcprewrite] TOS test: make[1]: *** [Makefile:1087: rewrite_tos] Error 1
[tcprewrite] MTU Truncate test: make[1]: *** [Makefile:1095: rewrite_mtutrunc] Error 1
[tcprewrite] Substitute Src/Dst MAC test: make[1]: *** [Makefile:914: rewrite_enet_subsmac] Error 1
[tcprewrite] Seeded MAC test: make[1]: *** [Makefile:924: rewrite_mac_seed] Error 1
[tcprewrite] Seeded Keep MAC test: make[1]: *** [Makefile:933: rewrite_mac_seed_keep] Error 1
[tcprewrite] L7 fuzzing test: make[1]: *** [Makefile:1103: rewrite_l7fuzzing] Error 1
[tcprewrite] TCP sequence test: make[1]: *** [Makefile:878: rewrite_sequence] Error 1
[tcprewrite] Fix checksum test: make[1]: *** [Makefile:1111: rewrite_fixcsum] Error 1
[tcprewrite] Fix length and pad test: make[1]: *** [Makefile:1119: rewrite_fixlen_pad] Error 1
[tcprewrite] Fix length and truncate test: make[1]: *** [Makefile:1127: rewrite_fixlen_trunc] Error 1
[tcprewrite] Fix length and delete test: make[1]: *** [Makefile:1135: rewrite_fixlen_del] Error 1
make[1]: Target 'test' not remade because of errors.
Fixed in PR #866
Describe the bug tcprewrite in tcpreplay latest commit : 43693c4, v4.4.4 and v.4.4.3 has a double free in function tcpedit_dlt_cleanup in plugins/dlt_plugins.c.
To Reproduce Steps to reproduce the behavior:
The poc is available at poc.zip
Please unzip it first and then feed it into the tcprewrite binary.
Expected behavior
The ASAN report
Screenshots
if you reproduce successfully, you will see an output similar to the following screenshot.![image-20230703105407101](https://user-images.githubusercontent.com/25703599/250432748-44485ada-0bc5-4e7b-923d-ae34cdeab4ef.png)
System (please complete the following information):