New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug] Double free in tcpedit_dlt_cleanup in tcprewrite #813
Comments
@fklassen, it seems that somehow freeing of sub-contexts actually frees something that gets freed again (not that I really understand the code). This particular plugin is calling these sub-context de-allocations, which then get called again. Are sub-contexts copies of contexts and setting pointers of allocated memory to NULL in these copies isn't reflected in the originals, causing double free? |
It looks this got CVE-2023-4256 assigned. |
This is just a quick hack to prevent a double-free should tcpedit_dlt_cleanup() call itself, which can hapen through dlt_jnpr_ether_cleanup() Ref: appneta#813
This is just a quick hack to prevent a double-free should tcpedit_dlt_cleanup() call itself, which can hapen through dlt_jnpr_ether_cleanup() Ref: appneta#813
Hi, I had a look and it seems that juniper has an exception in the way the plugins works with regard to the extra buffer in question: tcpreplay works with the assumption that there only ever is a single link layer plugin which is mostly true except here: Juniper has a special call to I also note that the plugin architecture is quite nice and should absolutely allow juniper to work as it does. I mean it would be a shame to break it IMHO. I won't have much time to work on this next month, but I'm willing to work on this after if you want. Also, this CVE does not seem that bad to me, but if I'm wrong I believe you could use 5ad9d1d701e644ed5b8821456e31acf2e72920c to work around this issue safely. |
Describe the bug
tcprewrite in tcpreplay latest commit : 43693c4, v4.4.4 and v.4.4.3 has a double free in function tcpedit_dlt_cleanup in plugins/dlt_plugins.c.
To Reproduce
Steps to reproduce the behavior:
The poc is available at poc.zip
Please unzip it first and then feed it into the tcprewrite binary.
Expected behavior
The ASAN report
Screenshots
if you reproduce successfully, you will see an output similar to the following screenshot.
System (please complete the following information):
The text was updated successfully, but these errors were encountered: