Heap Overflow in fast_edit_packet()

[SegfaultMasters]

There exists a heap-buffer-overflow in function fast_edit_packet() in the file send_packets.c of tcpreplay (v4.3). The issue can be reproduced when provided with an crafted pcap file as an input to the tcpreplay binary.

Affected version:

4.3 branch

Command:

sudo tcpreplay -i eno1 -t -K --loop 4 --unique-ip $POC

Debugging

    287      switch (ether_type) {
    288      case ETHERTYPE_IP:
    289          ip_hdr = (ipv4_hdr_t *)(packet + l2_len);
                // ip_hdr=0xbfffeb3c -> [...] -> 0x00000000
-> 290           src_ip_orig = src_ip = ntohl(ip_hdr->ip_src.s_addr); //Overflow triggered 
    291          dst_ip_orig = dst_ip = ntohl(ip_hdr->ip_dst.s_addr);
    292          break;
    293

gef> p/d ip_hdr->ip_src.s_addr
$33 = 43200
gef> p/d src_ip
$34 = 727806
gef> p/d src_ip_orig
$35 = 28

ASAN output

==3984==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb48002ca at pc 0x0804d6c6 bp 0xbfffeb08 sp 0xbfffeaf8
READ of size 4 at 0xb48002ca thread T0
    #0 0x804d6c5 in fast_edit_packet /home/loginsoft/ACE/tcpreplay/src/send_packets.c:290
    #1 0x804f9c0 in send_packets /home/loginsoft/ACE/tcpreplay/src/send_packets.c:569
    #2 0x8060aa4 in replay_file /home/loginsoft/ACE/tcpreplay/src/replay.c:188
    #3 0x805f8c1 in tcpr_replay_index /home/loginsoft/ACE/tcpreplay/src/replay.c:61
    #4 0x805e791 in tcpreplay_replay /home/loginsoft/ACE/tcpreplay/src/tcpreplay_api.c:1135
    #5 0x8056186 in main /home/loginsoft/ACE/tcpreplay/src/tcpreplay.c:139
    #6 0xb784c636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #7 0x804a7a0  (/usr/local/bin/tcpreplay+0x804a7a0)

0xb48002cc is located 0 bytes to the right of 28-byte region [0xb48002b0,0xb48002cc)
allocated by thread T0 here:
    #0 0xb7ae7dee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee)
    #1 0x8065642 in _our_safe_malloc /home/loginsoft/ACE/tcpreplay/src/common/utils.c:50
    #2 0x8052efd in get_next_packet /home/loginsoft/ACE/tcpreplay/src/send_packets.c:1044
    #3 0x804e921 in preload_pcap_file /home/loginsoft/ACE/tcpreplay/src/send_packets.c:445
    #4 0x805615b in main /home/loginsoft/ACE/tcpreplay/src/tcpreplay.c:126
    #5 0xb784c636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/loginsoft/ACE/tcpreplay/src/send_packets.c:290 fast_edit_packet
Shadow bytes around the buggy address:
  0x36900000: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00
  0x36900010: 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
  0x36900020: 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa
  0x36900030: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00
  0x36900040: 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
=>0x36900050: 00 00 00 fa fa fa 00 00 00[04]fa fa 00 00 00 fa
  0x36900060: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa fd fd
  0x36900070: fd fd fa fa fd fd fd fd fa fa fd fd fd fa fa fa
  0x36900080: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
  0x36900090: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
  0x369000a0: fd fa fa fa fd fd fd fd fa fa fd fd fd fd fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==3984==ABORTING

glibc detection

*** Error in `tcpreplay': corrupted size vs. prev_size: 0x0825bd50 ***
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x67377)[0xb7d0c377]
/lib/i386-linux-gnu/libc.so.6(+0x6d2f7)[0xb7d122f7]
/lib/i386-linux-gnu/libc.so.6(+0x6d6fe)[0xb7d126fe]
/lib/i386-linux-gnu/libc.so.6(+0x6e395)[0xb7d13395]
tcpreplay[0x8053cf6]
tcpreplay[0x804f7ea]
tcpreplay[0x804e56b]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf7)[0xb7cbd637]
tcpreplay[0x804a671]
======= Memory map: ========
08048000-0804a000 r--p 00000000 08:01 2641698    /usr/local/bin/tcpreplay
0804a000-08059000 r-xp 00002000 08:01 2641698    /usr/local/bin/tcpreplay
08059000-08060000 r--p 00011000 08:01 2641698    /usr/local/bin/tcpreplay
08060000-08061000 r--p 00017000 08:01 2641698    /usr/local/bin/tcpreplay
08061000-08062000 rw-p 00018000 08:01 2641698    /usr/local/bin/tcpreplay
08062000-08065000 rw-p 00000000 00:00 0
08254000-08275000 rw-p 00000000 00:00 0          [heap]
b7b00000-b7b21000 rw-p 00000000 00:00 0
b7b21000-b7c00000 ---p 00000000 00:00 0
b7ca4000-b7ca5000 rw-p 00000000 00:00 0
b7ca5000-b7e55000 r-xp 00000000 08:01 786798     /lib/i386-linux-gnu/libc-2.23.so
b7e55000-b7e57000 r--p 001af000 08:01 786798     /lib/i386-linux-gnu/libc-2.23.so
b7e57000-b7e58000 rw-p 001b1000 08:01 786798     /lib/i386-linux-gnu/libc-2.23.so
b7e58000-b7e5b000 rw-p 00000000 00:00 0
b7e5b000-b7e7b000 r-xp 00000000 08:01 2241910    /usr/lib/i386-linux-gnu/libopts.so.25.16.1
b7e7b000-b7e7c000 r--p 0001f000 08:01 2241910    /usr/lib/i386-linux-gnu/libopts.so.25.16.1
b7e7c000-b7e7d000 rw-p 00020000 08:01 2241910    /usr/lib/i386-linux-gnu/libopts.so.25.16.1
b7e7d000-b7ebf000 r-xp 00000000 08:01 2230579    /usr/lib/i386-linux-gnu/libpcap.so.1.7.4
b7ebf000-b7ec0000 ---p 00042000 08:01 2230579    /usr/lib/i386-linux-gnu/libpcap.so.1.7.4
b7ec0000-b7ec1000 r--p 00042000 08:01 2230579    /usr/lib/i386-linux-gnu/libpcap.so.1.7.4
b7ec1000-b7ec2000 rw-p 00043000 08:01 2230579    /usr/lib/i386-linux-gnu/libpcap.so.1.7.4
b7ec9000-b7ee5000 r-xp 00000000 08:01 786836     /lib/i386-linux-gnu/libgcc_s.so.1
b7ee5000-b7ee6000 rw-p 0001b000 08:01 786836     /lib/i386-linux-gnu/libgcc_s.so.1
b7ee6000-b7ee8000 rw-p 00000000 00:00 0
b7ee8000-b7eeb000 r--p 00000000 00:00 0          [vvar]
b7eeb000-b7eed000 r-xp 00000000 00:00 0          [vdso]
b7eed000-b7f10000 r-xp 00000000 08:01 786770     /lib/i386-linux-gnu/ld-2.23.so
b7f10000-b7f11000 r--p 00022000 08:01 786770     /lib/i386-linux-gnu/ld-2.23.so
b7f11000-b7f12000 rw-p 00023000 08:01 786770     /lib/i386-linux-gnu/ld-2.23.so
bf8e8000-bf909000 rw-p 00000000 00:00 0          [stack]
Aborted

Reproducer File

[carnil]

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17580 was assigned for this issue

[mkubecek]

This is a truncated IPv4 packet: 14 bytes of ethernet header and 14 bytes of IPv4 header (so that the packet ends at the middle of source address field). The problem is that pkthdr->caplen = 60 but pkthdr->len = 28. Apparently libpcap does not guarantee caplen <= len even if the description seems to imply that. And even if it we fix that in libpcap, unfixed versions will be around for quite some time.

How about a wrapper for pcap_next() which would set pkthdrlen->caplen to pkthdr->len when the former is bigger?

[fklassen]

That's a good suggestion. Currently planning some vacation, which is the only time I have to really work on this project. Hopefully I can try that out next week.

[fklassen]

Documented in PR #485. Fixed in PR #484.