Skip to content

Etterfilter: Invalid read on crafted file (Segmentation Fault). #782

Closed
@RajUllas

Description

@RajUllas

Etterfilter results in an invalid read of 8 bytes when parsing a crafted file.
As seen in valgrind output the issue occurs in the compile_tree function of the ef_compiler.c source file.

Steps to reproduce (run on current master ettercap branch):
raras@ubuntu: etterfilter crashfile

Expected output (possibly):
File should not be parsed and error message should be printed stating invalid file.
Actual output:
Segmentation Fault

POC crash file is also attached:

crash.txt

Valgrind output is as follows:

raras@ubuntu:~/Desktop$ valgrind etterfilter ~/Desktop/crash
==25860== Memcheck, a memory error detector
==25860== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==25860== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==25860== Command: etterfilter /home/raras/Desktop/crash
==25860==
etterfilter 0.8.2 copyright 2001-2015 Ettercap Development Team
14 protocol tables loaded:
DECODED DATA udp tcp esp gre icmp ipv6 ip arp wifi fddi tr eth
13 constants loaded:
VRRP OSPF GRE UDP TCP ESP ICMP6 ICMP PPTP PPPOE IP6 IP ARP
Parsing source file '/home/raras/Desktop/crash' done.
BUG at [/home/raras/Desktop/ettercap-master/utils/etterfilter/ef_compiler.c:compile_tree:242]
tree_root == NULL
==25860== Invalid read of size 8
==25860== at 0x4E4D7B9: clean_exit (in /usr/local/lib/libettercap.so.0.0.0)
==25860== by 0x4030B0: compile_tree (in /usr/local/bin/etterfilter)
==25860== by 0x4042D3: write_output (in /usr/local/bin/etterfilter)
==25860== by 0x4024BD: main (in /usr/local/bin/etterfilter)
==25860== Address 0x6bc2440 is 8 bytes after a block of size 24 alloc'd
==25860== at 0x4C2CC70: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==25860== by 0x4041A2: globals_alloc (in /usr/local/bin/etterfilter)
==25860== by 0x4023AF: main (in /usr/local/bin/etterfilter)
==25860==
==25860== Invalid read of size 8
==25860== at 0x4E4D7BD: clean_exit (in /usr/local/lib/libettercap.so.0.0.0)
==25860== by 0x4030B0: compile_tree (in /usr/local/bin/etterfilter)
==25860== by 0x4042D3: write_output (in /usr/local/bin/etterfilter)
==25860== by 0x4024BD: main (in /usr/local/bin/etterfilter)
==25860== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==25860==
==25860==
==25860== Process terminating with default action of signal 11 (SIGSEGV)
==25860== Access not within mapped region at address 0x0
==25860== at 0x4E4D7BD: clean_exit (in /usr/local/lib/libettercap.so.0.0.0)
==25860== by 0x4030B0: compile_tree (in /usr/local/bin/etterfilter)
==25860== by 0x4042D3: write_output (in /usr/local/bin/etterfilter)
==25860== by 0x4024BD: main (in /usr/local/bin/etterfilter)
==25860== If you believe this happened as a result of a stack
==25860== overflow in your program's main thread (unlikely but
==25860== possible), you can try to increase the size of the
==25860== main thread stack using the --main-stacksize= flag.
==25860== The main thread stack size used in this run was 8388608.
==25860==
==25860== HEAP SUMMARY:
==25860== in use at exit: 29,146 bytes in 536 blocks
==25860== total heap usage: 644 allocs, 108 frees, 199,745 bytes allocated
==25860==
==25860== LEAK SUMMARY:
==25860== definitely lost: 8 bytes in 1 blocks
==25860== indirectly lost: 0 bytes in 0 blocks
==25860== possibly lost: 0 bytes in 0 blocks
==25860== still reachable: 29,138 bytes in 535 blocks
==25860== suppressed: 0 bytes in 0 blocks
==25860== Rerun with --leak-check=full to see details of leaked memory
==25860==
==25860== For counts of detected and suppressed errors, rerun with: -v
==25860== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)
Segmentation fault

Thanks,
Raj

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions