New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AddressSanitizer: 2 heap-buffer-overflow problems (packet2tree() && get_l2len()) #530
Comments
fixed in PR #532 |
Two CVEs were assigned here: CVE-2018-20552 and CVE-2018-20553. |
Hi,your patch of CVE-2018-20552 isn't right. The crash occurs at the following code:
The overflow is caused by the line tree.c:751, which doesn't check the ip_hl whether proper.
As this poc shows, it made the ip_hl to be 0xb, which is bigger than the right one.
|
Reopening to investigate |
The patch for CVE-2018-20553 is also wrong.
|
Prevent heap buffer overflow by checking packet lengths in packet2tree()
Prevent heap buffer overflow by checking packet lengths in packet2tree()
Both tested in Ubuntu 18.04, 64bit, gcc 7.3.0, tcpreplay (master 2d87447). And
tcpprep -V
returnsTriggered by
./tcpprep --auto=bridge --pcap=$POC --cachefile=/dev/null
POC1
poc file:
https://github.com/Marsman1996/pocs/blob/master/tcpreplay/poc15-packet2tree-heapoverflow
ASAN info:
POC2
poc file:
https://github.com/Marsman1996/pocs/blob/master/tcpreplay/poc16-get_l2len-heapoverflow
ASAN info:
The text was updated successfully, but these errors were encountered: