Honggfuzz report 1 exceeds-maximum bug and 1 stackoverflow bugs in pcapfix-1.1.7

[zyan008]

I have found 2 bugs in pcapfix-1.1.7 by honggfuzz.

1- exceeds maximum in pcapng.c
The fuzzing report is as follows.

[] Reading from file: SIGSEGV-toomuchspace
[] Writing to file: fixed_SIGSEGV-toomuchspace
[] File size: 1538 bytes.
[+] This is a PCAPNG file.
[-] Unknown Byte Order Magic: 0x20747970 ==> CORRECTED.
[-] Major version number: 15437 ==> CORRECTED.
[-] Minor version number: 6699 ==> CORRECTED.
[-] Unknown option code: 0xffff (65535 bytes) ==> SKIPPING.
[-] Block size mismatch (0xffffffff != 0x000000ac) ==> CORRECTED.
[-] Found 914 bytes of unknown data ==> SKIPPING.
[] Progress: 61.51 %
[-] Missing IDB for Interface #0 ==> CREATING (#0).
[] Progress: 69.05 %
[-] Probably corrupted Interface ID #917504 (too high?) ==> CORRECTED.
[-] Missing IDB for Interface #1 ==> CREATING (#1).
[-] Enhanced packet data exceeds packet capture length (144839054 > 76) ==> CORRECTED.
[-] Block size mismatch (0x00000007 != 0x0000006c) ==> CORRECTED.
[-] Found 100 bytes of unknown data ==> SKIPPING.
[] Progress: 82.57 %
[-] Invalid Block size => CORRECTED.

==2193==ERROR: AddressSanitizer: requested allocation size 0xfffffffffffffffc (0x800 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0)
[Detaching after fork from child process 2197]
#0 0x49647d in malloc (/home/kali/fuzzing_pcapfix/pcapfix-1.1.7/pcapfix+0x49647d)
#1 0x4d666f in fix_pcapng /home/kali/fuzzing_pcapfix/pcapfix-1.1.7/pcapng.c:678:16
#2 0x4c6d1e in main /home/kali/fuzzing_pcapfix/pcapfix-1.1.7/pcapfix.c

I think the flaw maybe within the fix_pcapng function(line number 678) in pcapng.c as follows. The range of the variable padding should be checked.

    /* read packet data from input file */
    data = malloc(padding);   //line number 678
    bytes = fread(data, padding, 1, pcap);
    left -= padding;

2-stackoverflow in pcap.c
The fuzzing report is as follows.

[] Reading from file: SIGABRT-stackoverflow1
[] Writing to file: fixed_SIGABRT-stackoverflow1
[] File size: 262170 bytes.
[] Unknown file type. Assuming PCAP format.
[] Analyzing Global Header...
[-] The global pcap header seems to be missing ==> CORRECTED!
[] Analyzing packets...
[*] End of file reached. Aligning last packet.

==2496==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffda60 at pc 0x00000043429e bp 0x7ffffffbd850 sp 0x7ffffffbd018
WRITE of size 262154 at 0x7fffffffda60 thread T0
[Attaching after Thread 0x7ffff7c21800 (LWP 2496) fork to child process 2500]
[New inferior 2 (process 2500)]
[Detaching after fork from parent process 2496]
[Inferior 1 (process 2496) detached]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
process 2500 is executing new program: /usr/lib/llvm-11/bin/llvm-symbolizer
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
#0 0x43429d in fread (/home/kali/fuzzing_pcapfix/pcapfix-1.1.7/pcapfix+0x43429d)
#1 0x4cb06f in fix_pcap_packets /home/kali/fuzzing_pcapfix/pcapfix-1.1.7/pcap.c:627:19
#2 0x4c8fb0 in fix_pcap /home/kali/fuzzing_pcapfix/pcapfix-1.1.7/pcap.c:353:9
#3 0x4c6dba in main /home/kali/fuzzing_pcapfix/pcapfix-1.1.7/pcapfix.c
#4 0x7ffff7c4a082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

I think the flaw maybe within the fix_pcap_packets function(line number 627) in pcap.c as follows.

      /* read the packets body (size based on the just found next packets position) */
      fseeko(pcap, pos+sizeof(packet_hdr), SEEK_SET);
      bytes = fread(&buffer, conint(packet_hdr.incl_len), 1, pcap);  //line number 627

[Rup0rt]

Thanks for reporting those issues!
Can you please supply the pcap files you used to trigger the bugs?

[zyan008]

OK.
This is the POC including these two flaws.
POC.zip
.