Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] tcprewrite SEGV in src/tcpedit/plugins/dlt_utils.c:58 function tcpedit_dlt_getplugin #811

Closed
CCyb3rN1nj4 opened this issue Jun 28, 2023 · 2 comments
Closed

[Bug] tcprewrite SEGV in src/tcpedit/plugins/dlt_utils.c:58 function tcpedit_dlt_getplugin #811

CCyb3rN1nj4 opened this issue Jun 28, 2023 · 2 comments
Assignees
@fklassen
Labels
bug

Comments

@CCyb3rN1nj4
Copy link

CCyb3rN1nj4 commented Jun 28, 2023
edited
Loading

Describe the bug

tcprewrite SEGV in src/tcpedit/plugins/dlt_utils.c:58 function tcpedit_dlt_getplugin.

To Reproduce

Steps to reproduce the behavior:
1.Get the Tcpreplay source code and compile it.

git clone https://github.com/appneta/tcpreplay.git

export CFLAGS="-g -O0 -lpthread -fsanitize=address"
export CXXFLAGS="-g -O0 -lpthread -fsanitize=address"
export LDFLAGS="-fsanitize=address -fPIE"

./configure --disable-shared 
make -j8
cd bin

2.Run Command:
POC:https://github.com/GGb0ndQAQ/POC/blob/main/tcpreplay/tcprewrite/poc1

./tcprewrite --dlt=enet  --enet-dmac=00:12:13:14:15:16,00:22:33:44:55:66 --enet-smac=00:12:13:14:15:16,00:22:33:44:55:66   -i ./poc1 -o /dev/null
AddressSanitizer:DEADLYSIGNAL
=================================================================
==763996==ERROR: AddressSanitizer: SEGV on unknown address 0x161514131208 (pc 0x55578a79a153 bp 0x7fffe92d3a80 sp 0x7fffe92d3a60 T0)
==763996==The signal is caused by a READ memory access.
    #0 0x55578a79a153 in tcpedit_dlt_getplugin plugins/dlt_utils.c:58
    #1 0x55578a799609 in tcpedit_dlt_proto plugins/dlt_plugins.c:326
    #2 0x55578a7abc32 in dlt_jnpr_ether_proto plugins/dlt_jnpr_ether/jnpr_ether.c:309
    #3 0x55578a7996b1 in tcpedit_dlt_proto plugins/dlt_plugins.c:331
    #4 0x55578a7871ae in tcpedit_packet /home/lzy/CarpetFuzz/oss/tcpreplay/src/tcpedit/tcpedit.c:96
    #5 0x55578a786673 in rewrite_packets /home/lzy/CarpetFuzz/oss/tcpreplay/src/tcprewrite.c:293
    #6 0x55578a785d24 in main /home/lzy/CarpetFuzz/oss/tcpreplay/src/tcprewrite.c:137
    #7 0x7f766e203564 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x28564)
    #8 0x55578a78322d in _start (/home/lzy/CarpetFuzz/oss/tcpreplay/build-g/bin/tcprewrite+0x1d22d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV plugins/dlt_utils.c:58 in tcpedit_dlt_getplugin
==763996==ABORTING

gdbinfo

$ gdb --args ./tcprewrite --dlt=enet  --enet-dmac=00:12:13:14:15:16,00:22:33:44:55:66 --enet-smac=00:12:13:14:15:16,00:22:33:44:55:66   -i ./poc1  -o /dev/null
(gdb) r
Starting program: /home/lzy/CarpetFuzz/oss/tcpreplay/build-g/bin/tcprewrite --dlt=enet --enet-dmac=00:12:13:14:15:16,00:22:33:44:55:66 --enet-smac=00:12:13:14:15:16,00:22:33:44:55:66 -i ../../build/bin/poc1 -o /dev/null
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x0000555555588153 in tcpedit_dlt_getplugin (ctx=0x161514131200, dlt=1) at plugins/dlt_utils.c:58
58          ptr = ctx->plugins;
(gdb) bt
#0  0x0000555555588153 in tcpedit_dlt_getplugin (ctx=0x161514131200, dlt=1) at plugins/dlt_utils.c:58
#1  0x000055555558760a in tcpedit_dlt_proto (ctx=0x161514131200, dlt=1, packet=0x7ffff3fbea42 "", pktlen=-504) at plugins/dlt_plugins.c:326
#2  0x0000555555599c33 in dlt_jnpr_ether_proto (ctx=0x60b0000000f0, packet=0x7ffff3fbe800 "", pktlen=74) at plugins/dlt_jnpr_ether/jnpr_ether.c:309
#3  0x00005555555876b2 in tcpedit_dlt_proto (ctx=0x60b0000000f0, dlt=178, packet=0x7ffff3fbe800 "", pktlen=74) at plugins/dlt_plugins.c:331
#4  0x00005555555751af in tcpedit_packet (tcpedit=0x61d000000a80, pkthdr=0x7fffffffe020, pktdata=0x55555560d960 <pktdata_buff>, direction=TCPR_DIR_C2S) at tcpedit.c:96
#5  0x0000555555574674 in rewrite_packets (tcpedit_ctx=0x61d000000a80, pin=0x617000000080, pout=0x615000000300) at tcprewrite.c:293
#6  0x0000555555573d25 in main (argc=0, argv=0x7fffffffe228) at tcprewrite.c:137

     53  {
     54      tcpeditdlt_plugin_t *ptr;
     55  
     56      assert(ctx);
     57  
             // ctx=0x00007fffffffdd18  →  0x0000161514131200, ptr=0x00007fffffffdd28  →  [...]  →  0x000c00220000ac55
 →   58      ptr = ctx->plugins;
     59      if (ptr == NULL)
     60          return NULL;
     61  
     62      while (ptr->dlt != dlt && ptr->next != NULL) {
     63          ptr = ptr->next;
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "tcprewrite", stopped 0x555555588153 in tcpedit_dlt_getplugin (), reason: SIGSEGV
────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x555555588153 → tcpedit_dlt_getplugin(ctx=0x161514131200, dlt=0x1)
[#1] 0x55555558760a → tcpedit_dlt_proto(ctx=0x161514131200, dlt=0x1, packet=0x7ffff3fbea42 "", pktlen=0xfffffe08)
[#2] 0x555555599c33 → dlt_jnpr_ether_proto(ctx=0x60b0000000f0, packet=0x7ffff3fbe800 "", pktlen=0x4a)
[#3] 0x5555555876b2 → tcpedit_dlt_proto(ctx=0x60b0000000f0, dlt=0xb2, packet=0x7ffff3fbe800 "", pktlen=0x4a)
[#4] 0x5555555751af → tcpedit_packet(tcpedit=0x61d000000a80, pkthdr=0x7fffffffe040, pktdata=0x55555560d960 <pktdata_buff>, direction=TCPR_DIR_C2S)
[#5] 0x555555574674 → rewrite_packets(tcpedit_ctx=0x61d000000a80, pin=0x617000000080, pout=0x615000000300)
[#6] 0x555555573d25 → main(argc=0x0, argv=0x7fffffffe248)
─────────────────────────────────────────────────────────────────────────────────────────
gef➤  print ctx->plugins
Cannot access memory at address 0x161514131208

Code in function src/tcpedit/plugins/dlt_utils.c:58

/*
 * find a given plugin struct in the context for a given DLT.  Returns NULL on failure
 */
tcpeditdlt_plugin_t *
tcpedit_dlt_getplugin(tcpeditdlt_t *ctx, int dlt)
{
    tcpeditdlt_plugin_t *ptr;

    assert(ctx);

    ptr = ctx->plugins;        <-------------- line 58
    if (ptr == NULL)
        return NULL;

    while (ptr->dlt != dlt && ptr->next != NULL) {
        ptr = ptr->next;
    }

    if (ptr->dlt == dlt)
        return ptr;

    return NULL;
}

Environment

OS: Ubuntu 20.04.5 LTS
Compiler: gcc version 9.4.0
Tcpreplay Version: master commit 43693c4a92dda227a5134ae5e71a7247ae345323

IMPACT

Potentially causing DoS or Arbitrary Read
@CCyb3rN1nj4
Copy link
Author

CCyb3rN1nj4 commented Jul 11, 2023
edited
Loading

I update the correct poc:https://github.com/GGb0ndQAQ/POC/blob/main/tcpreplay/tcprewrite/poc_tcpedit_dlt_getplugin

@fklassen fklassen self-assigned this Jun 6, 2024
@fklassen fklassen added the bug label Jun 6, 2024
fklassen added a commit that referenced this issue Jun 8, 2024
@fklassen
Bug #811 - add check for invalid jnpr header length
f96c4a1
fklassen added a commit that referenced this issue Jun 8, 2024
@fklassen
Bug #811 - add check for invalid jnpr header length
8f26a97
fklassen added a commit that referenced this issue Jun 8, 2024
@fklassen
Merge pull request #872 from appneta/Bug_#811_SEGV_tcprewrite_dlt_utils
6c32ff1 
Bug #811 - add check for invalid jnpr header length
@fklassen
Copy link
Member

fklassen commented Jun 8, 2024

Fixed in PR #872

@fklassen fklassen closed this as completed Jun 8, 2024
@github-project-automation github-project-automation bot moved this to Done in 4.5 Aug 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fklassen fklassen

Labels
bug
Projects
4.5
Status: Done
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fklassen @CCyb3rN1nj4