[Bug] Double free in tcpedit_dlt_cleanup in tcprewrite
iskindar opened this issue ยท 8 comments
Describe the bug
tcprewrite in tcpreplay latest commit : 43693c4, v4.4.4 and v.4.4.3 has a double free in function tcpedit_dlt_cleanup in plugins/dlt_plugins.c.
To Reproduce
Steps to reproduce the behavior:
- Get the Tcpreplay source code and build it with ASAN.
# Build with ASAN
export CC=gcc export CXX=g++
export CFLAGS="-g -fsanitize=address" export CXXFLAGS="-g -fsanitize=address"
./autogen.sh
./configure && make -j
- Run tcprewrite with provided poc
tcprewrite -i poc -o /dev/null
The poc is available at poc.zip
Please unzip it first and then feed it into the tcprewrite binary.
Expected behavior
The ASAN report
==72056==ERROR: AddressSanitizer: attempting double-free on 0x603000000040 in thread T0:
#0 0x7f10d91ff40f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
#1 0x555929e48229 in our_safe_free /benchmark/tcpreplay/src/common/utils.c:113
#2 0x555929e2dbe6 in tcpedit_dlt_cleanup plugins/dlt_plugins.c:466
#3 0x555929e1dc35 in tcpedit_close /benchmark/tcpreplay/src/tcpedit/tcpedit.c:555
#4 0x555929e19cd1 in main /benchmark/tcpreplay/src/tcprewrite.c:146
#5 0x7f10d8e8f082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
#6 0x555929e1714d in _start (/validate_binary/tcprewrite+0x1c14d)
0x603000000040 is located 0 bytes inside of 20-byte region [0x603000000040,0x603000000054)
freed by thread T0 here:
#0 0x7f10d91ff40f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
#1 0x555929e48229 in our_safe_free /benchmark/tcpreplay/src/common/utils.c:113
#2 0x555929e2dbe6 in tcpedit_dlt_cleanup plugins/dlt_plugins.c:466
#3 0x555929e3eceb in dlt_jnpr_ether_cleanup plugins/dlt_jnpr_ether/jnpr_ether.c:168
#4 0x555929e2dac3 in tcpedit_dlt_cleanup plugins/dlt_plugins.c:450
#5 0x555929e1dc35 in tcpedit_close /benchmark/tcpreplay/src/tcpedit/tcpedit.c:555
#6 0x555929e19cd1 in main /benchmark/tcpreplay/src/tcprewrite.c:146
#7 0x7f10d8e8f082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
previously allocated by thread T0 here:
[poc.zip](https://github.com/appneta/tcpreplay/files/12090735/poc.zip)
#0 0x7f10d91ff808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#1 0x555929e47f77 in our_safe_malloc /benchmark/tcpreplay/src/common/utils.c:42
#2 0x555929e2f400 in dlt_en10mb_init plugins/dlt_en10mb/en10mb.c:109
#3 0x555929e2c804 in tcpedit_dlt_init plugins/dlt_plugins.c:148
#4 0x555929e3eab4 in dlt_jnpr_ether_post_init plugins/dlt_jnpr_ether/jnpr_ether.c:138
#5 0x555929e2cf36 in tcpedit_dlt_post_init plugins/dlt_plugins.c:251
#6 0x555929e2cc41 in tcpedit_dlt_post_args plugins/dlt_plugins.c:202
#7 0x555929e20842 in tcpedit_post_args /benchmark/tcpreplay/src/tcpedit/parse_args.c:242
#8 0x555929e1985a in main /benchmark/tcpreplay/src/tcprewrite.c:84
#9 0x7f10d8e8f082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
SUMMARY: AddressSanitizer: double-free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122 in __interceptor_free
==72056==ABORTING
Screenshots
if you reproduce successfully, you will see an output similar to the following screenshot.
System (please complete the following information):
- OS: Ubuntu 20.04 (docker images)
- Tcpreplay Version v4.4.4 and v4.4.3
$ ./tcprewrite --version
tcprewrite version: 4.4.4 (build git:v4.4.4-1-g43693c4a)
Copyright 2013-2022 by Fred Klassen <tcpreplay at appneta dot com> - AppNeta
Copyright 2000-2012 by Aaron Turner <aturner at synfin dot net>
The entire Tcpreplay Suite is licensed under the GPLv3
Cache file supported: 04
Not compiled with libdnet.
Compiled against libpcap: 1.9.1
64 bit packet counters: enabled
Verbose printing via tcpdump: disabled
Fragroute engine: disable
@fklassen, it seems that somehow freeing of sub-contexts actually frees something that gets freed again (not that I really understand the code). This particular plugin is calling these sub-context de-allocations, which then get called again.
Are sub-contexts copies of contexts and setting pointers of allocated memory to NULL in these copies isn't reflected in the originals, causing double free?
It looks this got CVE-2023-4256 assigned.
Hi,
I had a look and it seems that juniper has an exception in the way the plugins works with regard to the extra buffer in question: tcpreplay works with the assumption that there only ever is a single link layer plugin which is mostly true except here: Juniper has a special call to tcpedit_dlt_copy_decoder_state()
which causes the ctx and subctx to share a reference to the decoded_extra
buffer, and the double call through the backtrace as said in this description indeed causes the issue.
I also note that the plugin architecture is quite nice and should absolutely allow juniper to work as it does. I mean it would be a shame to break it IMHO.
Since each plugin is working with the assumption that it owns the decoded_extra
buffer, I suggest to just give each one its own. That would cost a bit more, but not significantly so, and it would also enable the ability to rewrite one link layer into another.
I won't have much time to work on this next month, but I'm willing to work on this after if you want.
Also, this CVE does not seem that bad to me, but if I'm wrong I believe you could use 5ad9d1d701e644ed5b8821456e31acf2e72920c to work around this issue safely.
Reopening. It appears that the #855 fix has introduced some memory leaks:
../configure --with-testnic=enp0s5 --with-testnic2=enp0s5 --enable-asan
$ make
$ sudo make test
echo Making test in ./test
Making test in ./test
cd ./test && make test
make[1]: Entering directory '/home/parallels/git/tcpreplay/build/test'
NOTICE: Tests must be run as root
Sending traffic on 'enp0s5' and 'enp0s5'
[tcpprep] Auto/Router mode test: OK
[tcpprep] Auto/Bridge mode test: OK
[tcpprep] Auto/Client mode test: OK
[tcpprep] Auto/Server mode test: OK
[tcpprep] Auto/First mode test: OK
[tcpprep] CIDR mode test: OK
[tcpprep] Regex mode test: make[1]: *** [Makefile:737: regex] Error 1
[tcpprep] Port mode test: OK
[tcpprep] MAC mode test: OK
[tcpprep] Comment mode test: OK
[tcpprep] Print info mode test: OK
[tcpprep] Print comment mode test: OK
[tcpprep] Config mode test: OK
[tcpprep] MAC reverse mode test: OK
[tcpprep] CIDR reverse mode test: OK
[tcpprep] Regex reverse mode test: make[1]: *** [Makefile:783: regex_reverse] Error 1
[tcpprep] exclude packets test: make[1]: *** [Makefile:804: exclude_packets] Error 1
[tcpprep] include packets test: make[1]: *** [Makefile:811: include_packets] Error 1
[tcpprep] include source test: make[1]: *** [Makefile:818: include_source] Error 1
[tcpprep] include destination test: make[1]: *** [Makefile:825: include_dest] Error 1
[tcpreplay] Basic test: OK
[tcpreplay] Nano timer test: OK
[tcpreplay] Cache test: OK
[tcpreplay] Packets/sec test: OK
[tcpreplay] Mbps test: OK
[tcpreplay] Topspeed test: OK
[tcpreplay] Config file/VLAN add test: OK
[tcpreplay] Multiplier test: OK
[tcpreplay] Packets/sec Multiplier test: OK
[tcpreplay] Precache test: OK
[tcpreplay] Statistics test: OK
[tcpreplay] Dual file test: OK
[tcpreplay] Maximum sleep test: OK
[tcprewrite] Portmap test: make[1]: *** [Makefile:862: rewrite_portmap] Error 1
[tcprewrite] Portmap range test: make[1]: *** [Makefile:870: rewrite_range_portmap] Error 1
[tcprewrite] Endpoint test: make[1]: *** [Makefile:886: rewrite_endpoint] Error 1
[tcprewrite] Pseudo NAT test: make[1]: *** [Makefile:895: rewrite_pnat] Error 1
[tcprewrite] Truncate test: make[1]: *** [Makefile:942: rewrite_trunc] Error 1
[tcprewrite] Pad test: make[1]: *** [Makefile:950: rewrite_pad] Error 1
[tcprewrite] Seed IP test: make[1]: *** [Makefile:958: rewrite_seed] Error 1
[tcprewrite] Src/Dst MAC test: make[1]: *** [Makefile:904: rewrite_mac] Error 1
[tcprewrite] Layer2 test: make[1]: *** [Makefile:966: rewrite_layer2] Error 1
[tcprewrite] Config/VLAN Add test: make[1]: *** [Makefile:975: rewrite_config] Error 1
[tcprewrite] Skip bcast test: make[1]: *** [Makefile:983: rewrite_skip] Error 1
[tcprewrite] DLT User test: make[1]: *** [Makefile:994: rewrite_dltuser] Error 1
[tcprewrite] DLT Cisco HDLC test: make[1]: *** [Makefile:1003: rewrite_dlthdlc] Error 1
[tcprewrite] VLAN 802.1ad test:
=================================================================
==377184==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 112 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf64c in our_safe_malloc ../../../src/common/utils.c:42
#2 0xaaaaadfacaec in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:129
#3 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#4 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#5 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#6 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#7 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 144 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf64c in our_safe_malloc ../../../src/common/utils.c:42
#2 0xaaaaadfacfd8 in tcpedit_dlt_newplugin ../../../src/tcpedit/plugins/dlt_utils.c:105
#3 0xaaaaadfb7dcc in dlt_ieee80211_register ../../../src/tcpedit/plugins/dlt_ieee80211/ieee80211.c:58
#4 0xaaaaadfabab8 in tcpedit_dlt_register ../../../src/tcpedit/plugins/dlt_plugins.c:62
#5 0xaaaaadfacb0c in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:140
#6 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#7 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#8 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#9 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#10 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 144 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf64c in our_safe_malloc ../../../src/common/utils.c:42
#2 0xaaaaadfacfd8 in tcpedit_dlt_newplugin ../../../src/tcpedit/plugins/dlt_utils.c:105
#3 0xaaaaadfbab88 in dlt_pppserial_register ../../../src/tcpedit/plugins/dlt_pppserial/pppserial.c:61
#4 0xaaaaadfabadc in tcpedit_dlt_register ../../../src/tcpedit/plugins/dlt_plugins.c:65
#5 0xaaaaadfacb0c in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:140
#6 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#7 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#8 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#9 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#10 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 144 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf64c in our_safe_malloc ../../../src/common/utils.c:42
#2 0xaaaaadfacfd8 in tcpedit_dlt_newplugin ../../../src/tcpedit/plugins/dlt_utils.c:105
#3 0xaaaaadfb6fb8 in dlt_linuxsll2_register ../../../src/tcpedit/plugins/dlt_linuxsll2/linuxsll2.c:55
#4 0xaaaaadfabaac in tcpedit_dlt_register ../../../src/tcpedit/plugins/dlt_plugins.c:61
#5 0xaaaaadfacb0c in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:140
#6 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#7 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#8 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#9 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#10 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 144 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf64c in our_safe_malloc ../../../src/common/utils.c:42
#2 0xaaaaadfacfd8 in tcpedit_dlt_newplugin ../../../src/tcpedit/plugins/dlt_utils.c:105
#3 0xaaaaadfb5108 in dlt_null_register ../../../src/tcpedit/plugins/dlt_null/null.c:68
#4 0xaaaaadfaba88 in tcpedit_dlt_register ../../../src/tcpedit/plugins/dlt_plugins.c:58
#5 0xaaaaadfacb0c in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:140
#6 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#7 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#8 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#9 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#10 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 144 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf64c in our_safe_malloc ../../../src/common/utils.c:42
#2 0xaaaaadfacfd8 in tcpedit_dlt_newplugin ../../../src/tcpedit/plugins/dlt_utils.c:105
#3 0xaaaaadfb4738 in dlt_raw_register ../../../src/tcpedit/plugins/dlt_raw/raw.c:54
#4 0xaaaaadfaba7c in tcpedit_dlt_register ../../../src/tcpedit/plugins/dlt_plugins.c:57
#5 0xaaaaadfacb0c in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:140
#6 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#7 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#8 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#9 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#10 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 144 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf64c in our_safe_malloc ../../../src/common/utils.c:42
#2 0xaaaaadfacfd8 in tcpedit_dlt_newplugin ../../../src/tcpedit/plugins/dlt_utils.c:105
#3 0xaaaaadfb5614 in dlt_loop_register ../../../src/tcpedit/plugins/dlt_loop/loop.c:57
#4 0xaaaaadfaba94 in tcpedit_dlt_register ../../../src/tcpedit/plugins/dlt_plugins.c:59
#5 0xaaaaadfacb0c in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:140
#6 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#7 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#8 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#9 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#10 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 144 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf64c in our_safe_malloc ../../../src/common/utils.c:42
#2 0xaaaaadfacfd8 in tcpedit_dlt_newplugin ../../../src/tcpedit/plugins/dlt_utils.c:105
#3 0xaaaaadfb05bc in dlt_en10mb_register ../../../src/tcpedit/plugins/dlt_en10mb/en10mb.c:51
#4 0xaaaaadfaba58 in tcpedit_dlt_register ../../../src/tcpedit/plugins/dlt_plugins.c:54
#5 0xaaaaadfacb0c in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:140
#6 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#7 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#8 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#9 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#10 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 144 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf64c in our_safe_malloc ../../../src/common/utils.c:42
#2 0xaaaaadfacfd8 in tcpedit_dlt_newplugin ../../../src/tcpedit/plugins/dlt_utils.c:105
#3 0xaaaaadfb629c in dlt_linuxsll_register ../../../src/tcpedit/plugins/dlt_linuxsll/linuxsll.c:51
#4 0xaaaaadfabaa0 in tcpedit_dlt_register ../../../src/tcpedit/plugins/dlt_plugins.c:60
#5 0xaaaaadfacb0c in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:140
#6 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#7 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#8 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#9 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#10 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 144 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf64c in our_safe_malloc ../../../src/common/utils.c:42
#2 0xaaaaadfacfd8 in tcpedit_dlt_newplugin ../../../src/tcpedit/plugins/dlt_utils.c:105
#3 0xaaaaadfb3c48 in dlt_user_register ../../../src/tcpedit/plugins/dlt_user/user.c:50
#4 0xaaaaadfaba70 in tcpedit_dlt_register ../../../src/tcpedit/plugins/dlt_plugins.c:56
#5 0xaaaaadfacb0c in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:140
#6 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#7 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#8 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#9 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#10 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 144 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf64c in our_safe_malloc ../../../src/common/utils.c:42
#2 0xaaaaadfacfd8 in tcpedit_dlt_newplugin ../../../src/tcpedit/plugins/dlt_utils.c:105
#3 0xaaaaadfb2ae4 in dlt_hdlc_register ../../../src/tcpedit/plugins/dlt_hdlc/hdlc.c:50
#4 0xaaaaadfaba64 in tcpedit_dlt_register ../../../src/tcpedit/plugins/dlt_plugins.c:55
#5 0xaaaaadfacb0c in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:140
#6 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#7 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#8 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#9 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#10 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 144 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf64c in our_safe_malloc ../../../src/common/utils.c:42
#2 0xaaaaadfacfd8 in tcpedit_dlt_newplugin ../../../src/tcpedit/plugins/dlt_utils.c:105
#3 0xaaaaadfb8a5c in dlt_radiotap_register ../../../src/tcpedit/plugins/dlt_radiotap/radiotap.c:60
#4 0xaaaaadfabac4 in tcpedit_dlt_register ../../../src/tcpedit/plugins/dlt_plugins.c:63
#5 0xaaaaadfacb0c in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:140
#6 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#7 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#8 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#9 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#10 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 144 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf64c in our_safe_malloc ../../../src/common/utils.c:42
#2 0xaaaaadfacfd8 in tcpedit_dlt_newplugin ../../../src/tcpedit/plugins/dlt_utils.c:105
#3 0xaaaaadfba100 in dlt_jnpr_ether_register ../../../src/tcpedit/plugins/dlt_jnpr_ether/jnpr_ether.c:64
#4 0xaaaaadfabad0 in tcpedit_dlt_register ../../../src/tcpedit/plugins/dlt_plugins.c:64
#5 0xaaaaadfacb0c in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:140
#6 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#7 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#8 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#9 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#10 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 112 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf64c in our_safe_malloc ../../../src/common/utils.c:42
#2 0xaaaaadfad928 in dlt_en10mb_init ../../../src/tcpedit/plugins/dlt_en10mb/en10mb.c:113
#3 0xaaaaadfacbd8 in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:159
#4 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#5 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#6 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#7 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#8 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 20 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf64c in our_safe_malloc ../../../src/common/utils.c:42
#2 0xaaaaadfadafc in dlt_en10mb_init ../../../src/tcpedit/plugins/dlt_en10mb/en10mb.c:109
#3 0xaaaaadfacbd8 in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:159
#4 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#5 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#6 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#7 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#8 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 10 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf78c in our_safe_strdup ../../../src/common/utils.c:90
#2 0xaaaaadfb7038 in dlt_linuxsll2_register ../../../src/tcpedit/plugins/dlt_linuxsll2/linuxsll2.c:66
#3 0xaaaaadfabaac in tcpedit_dlt_register ../../../src/tcpedit/plugins/dlt_plugins.c:61
#4 0xaaaaadfacb0c in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:140
#5 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#6 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#7 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#8 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#9 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 10 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf78c in our_safe_strdup ../../../src/common/utils.c:90
#2 0xaaaaadfbac04 in dlt_pppserial_register ../../../src/tcpedit/plugins/dlt_pppserial/pppserial.c:71
#3 0xaaaaadfabadc in tcpedit_dlt_register ../../../src/tcpedit/plugins/dlt_plugins.c:65
#4 0xaaaaadfacb0c in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:140
#5 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#6 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#7 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#8 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#9 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 10 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf78c in our_safe_strdup ../../../src/common/utils.c:90
#2 0xaaaaadfb7e48 in dlt_ieee80211_register ../../../src/tcpedit/plugins/dlt_ieee80211/ieee80211.c:70
#3 0xaaaaadfabab8 in tcpedit_dlt_register ../../../src/tcpedit/plugins/dlt_plugins.c:62
#4 0xaaaaadfacb0c in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:140
#5 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#6 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#7 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#8 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#9 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 9 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf78c in our_safe_strdup ../../../src/common/utils.c:90
#2 0xaaaaadfb8ad8 in dlt_radiotap_register ../../../src/tcpedit/plugins/dlt_radiotap/radiotap.c:72
#3 0xaaaaadfabac4 in tcpedit_dlt_register ../../../src/tcpedit/plugins/dlt_plugins.c:63
#4 0xaaaaadfacb0c in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:140
#5 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#6 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#7 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#8 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#9 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 9 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf78c in our_safe_strdup ../../../src/common/utils.c:90
#2 0xaaaaadfb631c in dlt_linuxsll_register ../../../src/tcpedit/plugins/dlt_linuxsll/linuxsll.c:63
#3 0xaaaaadfabaa0 in tcpedit_dlt_register ../../../src/tcpedit/plugins/dlt_plugins.c:60
#4 0xaaaaadfacb0c in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:140
#5 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#6 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#7 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#8 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#9 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 9 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf78c in our_safe_strdup ../../../src/common/utils.c:90
#2 0xaaaaadfba1a0 in dlt_jnpr_ether_register ../../../src/tcpedit/plugins/dlt_jnpr_ether/jnpr_ether.c:75
#3 0xaaaaadfabad0 in tcpedit_dlt_register ../../../src/tcpedit/plugins/dlt_plugins.c:64
#4 0xaaaaadfacb0c in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:140
#5 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#6 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#7 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#8 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#9 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 5 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf78c in our_safe_strdup ../../../src/common/utils.c:90
#2 0xaaaaadfb0668 in dlt_en10mb_register ../../../src/tcpedit/plugins/dlt_en10mb/en10mb.c:61
#3 0xaaaaadfaba58 in tcpedit_dlt_register ../../../src/tcpedit/plugins/dlt_plugins.c:54
#4 0xaaaaadfacb0c in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:140
#5 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#6 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#7 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#8 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#9 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 5 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf78c in our_safe_strdup ../../../src/common/utils.c:90
#2 0xaaaaadfb2b90 in dlt_hdlc_register ../../../src/tcpedit/plugins/dlt_hdlc/hdlc.c:62
#3 0xaaaaadfaba64 in tcpedit_dlt_register ../../../src/tcpedit/plugins/dlt_plugins.c:55
#4 0xaaaaadfacb0c in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:140
#5 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#6 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#7 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#8 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#9 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 5 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf78c in our_safe_strdup ../../../src/common/utils.c:90
#2 0xaaaaadfb3cc8 in dlt_user_register ../../../src/tcpedit/plugins/dlt_user/user.c:62
#3 0xaaaaadfaba70 in tcpedit_dlt_register ../../../src/tcpedit/plugins/dlt_plugins.c:56
#4 0xaaaaadfacb0c in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:140
#5 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#6 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#7 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#8 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#9 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 5 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf78c in our_safe_strdup ../../../src/common/utils.c:90
#2 0xaaaaadfb5184 in dlt_null_register ../../../src/tcpedit/plugins/dlt_null/null.c:80
#3 0xaaaaadfaba88 in tcpedit_dlt_register ../../../src/tcpedit/plugins/dlt_plugins.c:58
#4 0xaaaaadfacb0c in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:140
#5 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#6 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#7 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#8 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#9 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 5 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf78c in our_safe_strdup ../../../src/common/utils.c:90
#2 0xaaaaadfb5694 in dlt_loop_register ../../../src/tcpedit/plugins/dlt_loop/loop.c:69
#3 0xaaaaadfaba94 in tcpedit_dlt_register ../../../src/tcpedit/plugins/dlt_plugins.c:59
#4 0xaaaaadfacb0c in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:140
#5 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#6 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#7 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#8 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#9 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
Indirect leak of 4 byte(s) in 1 object(s) allocated from:
#0 0xffffaa6aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaaadfbf78c in our_safe_strdup ../../../src/common/utils.c:90
#2 0xaaaaadfb47b8 in dlt_raw_register ../../../src/tcpedit/plugins/dlt_raw/raw.c:63
#3 0xaaaaadfaba7c in tcpedit_dlt_register ../../../src/tcpedit/plugins/dlt_plugins.c:57
#4 0xaaaaadfacb0c in tcpedit_dlt_init ../../../src/tcpedit/plugins/dlt_plugins.c:140
#5 0xaaaaadf9f6e0 in tcpedit_init ../../../src/tcpedit/tcpedit.c:378
#6 0xaaaaadf9f19c in main ../../src/tcprewrite.c:77
#7 0xffffaa3873f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#8 0xffffaa3874c8 in __libc_start_main_impl ../csu/libc-start.c:392
#9 0xaaaaadf9c96c in _start (/home/parallels/git/tcpreplay/build/src/tcprewrite+0x1c96c)
SUMMARY: AddressSanitizer: 2058 byte(s) leaked in 27 allocation(s).
make[1]: *** [Makefile:1012: rewrite_vlan802.1ad] Error 1
[tcprewrite] VLAN Delete test: make[1]: *** [Makefile:1022: rewrite_vlandel] Error 1
[tcprewrite] Remove EFCS: make[1]: *** [Makefile:1031: rewrite_efcs] Error 1
[tcprewrite] Force TTL: make[1]: *** [Makefile:1039: rewrite_1ttl] Error 1
[tcprewrite] Increase TTL: make[1]: *** [Makefile:1047: rewrite_2ttl] Error 1
[tcprewrite] Reduce TTL: make[1]: *** [Makefile:1055: rewrite_3ttl] Error 1
[tcprewrite] Force TTL with header fix: make[1]: *** [Makefile:1063: rewrite_1ttl-hdrfix] Error 1
[tcprewrite] Increase TTL with header fix:make[1]: *** [Makefile:1071: rewrite_2ttl-hdrfix] Error 1
[tcprewrite] Reduce TTL with header fix: make[1]: *** [Makefile:1079: rewrite_3ttl-hdrfix] Error 1
[tcprewrite] TOS test: make[1]: *** [Makefile:1087: rewrite_tos] Error 1
[tcprewrite] MTU Truncate test: make[1]: *** [Makefile:1095: rewrite_mtutrunc] Error 1
[tcprewrite] Substitute Src/Dst MAC test: make[1]: *** [Makefile:914: rewrite_enet_subsmac] Error 1
[tcprewrite] Seeded MAC test: make[1]: *** [Makefile:924: rewrite_mac_seed] Error 1
[tcprewrite] Seeded Keep MAC test: make[1]: *** [Makefile:933: rewrite_mac_seed_keep] Error 1
[tcprewrite] L7 fuzzing test: make[1]: *** [Makefile:1103: rewrite_l7fuzzing] Error 1
[tcprewrite] TCP sequence test: make[1]: *** [Makefile:878: rewrite_sequence] Error 1
[tcprewrite] Fix checksum test: make[1]: *** [Makefile:1111: rewrite_fixcsum] Error 1
[tcprewrite] Fix length and pad test: make[1]: *** [Makefile:1119: rewrite_fixlen_pad] Error 1
[tcprewrite] Fix length and truncate test: make[1]: *** [Makefile:1127: rewrite_fixlen_trunc] Error 1
[tcprewrite] Fix length and delete test: make[1]: *** [Makefile:1135: rewrite_fixlen_del] Error 1
make[1]: Target 'test' not remade because of errors.
@fklassen - I'm getting confused regarding which PR supposed to fix the actual https://nvd.nist.gov/vuln/detail/CVE-2023-4256 CVE ?
In the latest chnagelog file I can see that PR #851 is fixing the issue but at the other hand I does not see it linked to this issue.
I wanted to backport the CVE fix for the product. So it would be helpful if you clarify regarding the fix. Thanks.
@fklassen - I'm getting confused regarding which PR supposed to fix the actual https://nvd.nist.gov/vuln/detail/CVE-2023-4256 CVE ?
In CHANGELOG
CVE-2023-4256` is correctly identified issue #813 as being fixed by PR #851. You many need to apply PR #711 before PR #851 as it touches the same line of code.
There was some confusion regarding Issue #813 because the initial bug fix that was submitted introduced other issues. That was backed out, and this new fix was applied.