[Bug] NULL Pointer Dereference in parse_endpoints at cidr.c:338
Closed this issue · 4 comments
bigben-plusplus commented
Describe the bug
There is a NULL Pointer Dereference in parse_endpoints when the user passes ill-formatted endpoints string to tcprewrite with option -e or --endpoints
To Reproduce
Steps to reproduce the behavior:
- download tcpreplay-4.4.4 release and build
wget https://github.com/appneta/tcpreplay/releases/download/v4.4.4/tcpreplay-4.4.4.tar.xz
tar xJf tcpreplay-4.4.4.tar.xz && cd tcpreplay-4.4.4 && ./configure && make -j8 && make install
- inject ill-formatted '--endpoints IP1:IP2' to tcprewrite, pragram crashes when IP2 is absent
[root@b545adff9ebe dev]# tcpprep -c 172.17.0.1/32 -i in.pcap -o in.pcap.cache
[root@b545adff9ebe dev]# tcprewrite -e 1.1.1.1: -i in.pcap -c in.pcap.cache -o out.pcap
Segmentation fault (core dumped)
[root@b545adff9ebe dev]# tcprewrite -e 1.1.1.1 -i in.pcap -c in.pcap.cache -o out.pcap
Segmentation fault (core dumped)
[root@b545adff9ebe dev]# tcprewrite -e 1.1.1.1:2.2.2.2 -i in.pcap -c in.pcap.cache -o out.pcap
[root@b545adff9ebe dev]#
Expected behavior
Program crashes with SEGV.
Screenshots
[root@b545adff9ebe dev]# gdb tcprewrite
GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-120.el7
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/local/bin/tcprewrite...done.
(gdb) r -e 1.1.1.1: -i in.pcap -c in.pcap.cache -o out.pcap
Starting program: /usr/local/bin/tcprewrite -e 1.1.1.1: -i in.pcap -c in.pcap.cache -o out.pcap
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
strlcat (dst=0x7fffffffe54a "", dst@entry=0x7fffffffe540 "0.0.0.0/0:", src=src@entry=0x0, dsize=dsize@entry=92) at strlcat.c:44
44 while (*src != '\0') {
Missing separate debuginfos, use: debuginfo-install glibc-2.17-326.el7_9.3.x86_64 libpcap-1.5.3-13.el7_9.x86_64
(gdb) bt
#0 strlcat (dst=0x7fffffffe54a "", dst@entry=0x7fffffffe540 "0.0.0.0/0:", src=src@entry=0x0, dsize=dsize@entry=92) at strlcat.c:44
#1 0x000000000040fba1 in parse_endpoints (cidrmap1=cidrmap1@entry=0x633de0, cidrmap2=cidrmap2@entry=0x633de8, optarg=<optimized out>) at cidr.c:338
#2 0x0000000000404719 in tcpedit_post_args (tcpedit=0x633580) at parse_args.c:235
#3 0x000000000040268c in main (argc=0, argv=<optimized out>) at tcprewrite.c:84
(gdb)
System (please complete the following information):
- OS: CentOS Linux release 7.9.2009 (Core)
- Tcpreplay Version: 4.4.4
fklassen commented
Do you have a sample capture file? You can imbed it in a .zip
file.
bigben-plusplus commented
Do you have a sample capture file? You can imbed it in a
.zip
file.
Hi, here is the pcap file in my case
in.pcap.zip
I think any valid pcap may reproduce the case.
fklassen commented
Could not download the attachment, but you are correct. It is recreateable with any PCAP file.