[Bug] tcprewrite SEGV plugins/dlt_jnpr_ether/jnpr_ether.c:167 in dlt_jnpr_ether_cleanup
CCyb3rN1nj4 opened this issue · 4 comments
Describe the bug
tcprewrite
SEGV plugins/dlt_jnpr_ether/jnpr_ether.c:167 in function dlt_jnpr_ether_cleanup
.
To Reproduce
Steps to reproduce the behavior:
1.Get the Tcpreplay source code and compile it.
git clone https://github.com/appneta/tcpreplay.git
export CFLAGS="-g -O0 -lpthread -fsanitize=address"
export CXXFLAGS="-g -O0 -lpthread -fsanitize=address"
export LDFLAGS="-fsanitize=address -fPIE"
./configure --disable-shared
make -j8
cd bin
2.Run Command:
POC:https://github.com/GGb0ndQAQ/POC/blob/main/tcpreplay/tcprewrite/poc2
./tcprewrite --dlt=enet --enet-dmac=00:12:13:14:15:16,00:22:33:44:55:66 --enet-smac=00:12:13:14:15:16,00:22:33:44:55:66 -i ./poc2 -o /dev/null
Warning: ./poc2 was captured using a snaplen of 50 bytes. This may mean you have truncated packets.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==913564==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5615797eef4e bp 0x7fffec90ba30 sp 0x7fffec90ba10 T0)
==913564==The signal is caused by a READ memory access.
==913564==Hint: address points to the zero page.
#0 0x5615797eef4e in dlt_jnpr_ether_cleanup plugins/dlt_jnpr_ether/jnpr_ether.c:167
#1 0x5615797ddd51 in tcpedit_dlt_cleanup plugins/dlt_plugins.c:450
#2 0x5615797cdee6 in tcpedit_close /home/lzy/CarpetFuzz/oss/tcpreplay/src/tcpedit/tcpedit.c:555
#3 0x5615797c9dcc in main /home/lzy/CarpetFuzz/oss/tcpreplay/src/tcprewrite.c:146
#4 0x7f37d6438564 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x28564)
#5 0x5615797c722d in _start (/home/lzy/CarpetFuzz/oss/tcpreplay/build-g/bin/tcprewrite+0x1d22d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV plugins/dlt_jnpr_ether/jnpr_ether.c:167 in dlt_jnpr_ether_cleanup
==913564==ABORTING
gdbinfo
$ gdb --args ./tcprewrite --dlt=enet --enet-dmac=00:12:13:14:15:16,00:22:33:44:55:66 --enet-smac=00:12:13:14:15:16,00:22:33:44:55:66 -i ./poc2 -o /dev/null
gef➤ r
162 if (plugin->config != NULL) {
163 /* clean up the en10mb plugin */
164 jnpr_ether_config_t *config;
165
166 config = (jnpr_ether_config_t *)ctx->encoder->config;
// config=0x00007fffffffe068 → 0x0000000000000000
→ 167 if (config->subctx != NULL)
168 tcpedit_dlt_cleanup(config->subctx);
169 safe_free(plugin->config);
170 plugin->config = NULL;
171 plugin->config_size = 0;
172 }
──────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "tcprewrite", stopped 0x555555598f4e in dlt_jnpr_ether_cleanup (), reason: SIGSEGV
───────────────────────────────────────────────────────────────────── trace ────
[#0] 0x555555598f4e → dlt_jnpr_ether_cleanup(ctx=0x60b0000000f0)
[#1] 0x555555587d52 → tcpedit_dlt_cleanup(ctx=0x60b0000000f0)
[#2] 0x555555577ee7 → tcpedit_close(tcpedit_ex=0x55555560d920 <tcpedit>)
[#3] 0x555555573dcd → main(argc=0x0, argv=0x7fffffffe238)
────────────────────────────────────────────────────────────────────────────────
gef➤ bt
#0 0x0000555555598f4e in dlt_jnpr_ether_cleanup (ctx=0x60b0000000f0) at plugins/dlt_jnpr_ether/jnpr_ether.c:167
#1 0x0000555555587d52 in tcpedit_dlt_cleanup (ctx=0x60b0000000f0) at plugins/dlt_plugins.c:450
#2 0x0000555555577ee7 in tcpedit_close (tcpedit_ex=0x55555560d920 <tcpedit>) at tcpedit.c:555
#3 0x0000555555573dcd in main (argc=0x0, argv=0x7fffffffe238) at tcprewrite.c:146
gef➤ print config->subctx
Cannot access memory at address 0x0
Environment
OS: Ubuntu 20.04.5 LTS
Compiler: gcc version 9.4.0
Tcpreplay Version: master commit 43693c4a92dda227a5134ae5e71a7247ae345323
IMPACT
Potentially causing DoS or Arbitrary Read
./install/bin/tcprewrite --dlt=enet --enet-dmac=00:12:13:14:15:16,00:22:33:44:55:66 --enet-smac=00:12:13:14:15:16,00:22:33:44:55:66 -i ./poc2 -o /dev/null
Fatal Error: Unable to open input pcap file: unknown file format
The URL is directed to poc1 (https://github.com/GGb0ndQAQ/POC/blob/main/tcpreplay/tcprewrite/poc1), not poc2 (https://github.com/GGb0ndQAQ/POC/blob/main/tcpreplay/tcprewrite/poc2).
A possible fix is to check config
before checking config->subctx
.
./install/bin/tcprewrite --dlt=enet --enet-dmac=00:12:13:14:15:16,00:22:33:44:55:66 --enet-smac=00:12:13:14:15:16,00:22:33:44:55:66 -i ./poc2 -o /dev/null
Fatal Error: Unable to open input pcap file: unknown file format
I update the correct poc:https://github.com/GGb0ndQAQ/POC/blob/main/tcpreplay/tcprewrite/poc_dlt_jnpr_ether_cleanup
Sorry, I made a mistake with the poc. I apologize for wasting your time.