NULL pointer dereference get_ipv6_l4proto()

[SegfaultMasters]

Description - we observed a NULL pointer dereference occured in function get_ipv6_l4proto() located at get.c .The same be triggered by sending a crafted pcap file to the tcpreplay-edit binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact.

Command - tcpreplay-edit -r 80:84 -s 20 -b -C -m 1500 -P --oneatatime -i $INTERFACE $POC

POC - REPRODUCER

Debug -

GDB -

Program received signal SIGSEGV, Segmentation fault.
[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ registers ]────
$rax : 0x0 
$rbx : 0x5555557aac20 → 0x00005555557b56a0 → 0x0000337330706e65 ("enp0s3"?)
$rcx : 0xed 
$rdx : 0x8 
$rsp : 0x7fffffffdad0 → 0x000000c5ffffdb20
$rbp : 0x7fffffffdb00 → 0x00007fffffffdb70 → 0x00007fffffffdbb0 → 0x00007fffffffdc50 → 0x00007fffffffdda0 → 0x00007fffffffdef0 → 0x00007fffffffdf20 → 0x00007fffffffdfb0
$rsi : 0xc5 
$rdi : 0x7ffff7fcd6ae → 0x7ffff7b8f5600000
$rip : 0x55555557694c → <get_ipv6_l4proto+194> movzx eax, BYTE PTR [rax]
$r8 : 0x2f 
$r9 : 0x7ffff7e4d010 → 0x0000000000000000
$r10 : 0x5555557b9700 → 0x0000000000000000
$r11 : 0x7ffff78d6000 → <__fread_chk+0> push r13
$r12 : 0x5555555599e0 → <_start+0> xor ebp, ebp
$r13 : 0x7fffffffe4d0 → 0x000000000000000e
$r14 : 0x0 
$r15 : 0x0 
$eflags: [zero CARRY PARITY adjust SIGN trap INTERRUPT direction overflow RESUME virtualx86 identification]
$fs: 0x0000 $ds: 0x0000 $ss: 0x002b $es: 0x0000 $gs: 0x0000 $cs: 0x0033 
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ stack ]────
0x00007fffffffdad0│+0x00: 0x000000c5ffffdb20 ← $rsp
0x00007fffffffdad8│+0x08: 0x00007ffff7e4d01e → 0x80000000ed000062 ("b"?)
0x00007fffffffdae0│+0x10: 0x00000a555c5ace1f
0x00007fffffffdae8│+0x18: 0x00fdebbbffffdb70
0x00007fffffffdaf0│+0x20: 0x00007ffff7fcd6ae → 0x7ffff7b8f5600000
0x00007fffffffdaf8│+0x28: 0x0000000000000000
0x00007fffffffdb00│+0x30: 0x00007fffffffdb70 → 0x00007fffffffdbb0 → 0x00007fffffffdc50 → 0x00007fffffffdda0 → 0x00007fffffffdef0 → 0x00007fffffffdf20 → 0x00007fffffffdfb0 ← $rbp
0x00007fffffffdb08│+0x38: 0x0000555555569599 → <do_checksum+201> movzx eax, al
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ code:i386:x86-64 ]────
0x55555557693f <get_ipv6_l4proto+181> call 0x555555576798 <get_ipv6_next>
0x555555576944 <get_ipv6_l4proto+186> mov QWORD PTR [rbp-0x8], rax
0x555555576948 <get_ipv6_l4proto+190> mov rax, QWORD PTR [rbp-0x8]
→ 0x55555557694c <get_ipv6_l4proto+194> movzx eax, BYTE PTR [rax]
0x55555557694f <get_ipv6_l4proto+197> mov BYTE PTR [rbp-0x11], al
0x555555576952 <get_ipv6_l4proto+200> mov rax, QWORD PTR [rbp-0x8]
0x555555576956 <get_ipv6_l4proto+204> mov QWORD PTR [rbp-0x10], rax
0x55555557695a <get_ipv6_l4proto+208> jmp 0x555555576962 <get_ipv6_l4proto+216>
0x55555557695c <get_ipv6_l4proto+210> movzx eax, BYTE PTR [rbp-0x11]
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ source:get.c+539 ]────
534 case TCPR_IPV6_NH_ROUTING:
535 case TCPR_IPV6_NH_DESTOPTS:
536 case TCPR_IPV6_NH_HBH:
537 dbgx(3, "Jumping to next extension header (0x%hhx)", proto);
538 exthdr = get_ipv6_next((struct tcpr_ipv6_ext_hdr_base *)ptr, len);
// exthdr=0x00007fffffffdaf8 → 0x0000000000000000
→ 539 proto = exthdr->ip_nh;
540 ptr = (u_char *)exthdr;
541 break;
542 
543 /* should be TCP, UDP or the like */
544 default:
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ threads ]────
[#0] Id 1, Name: "tcpreplay-edit", stopped, reason: SIGSEGV
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ trace ]────
[#0] 0x55555557694c → Name: get_ipv6_l4proto(ip6_hdr=0x7ffff7e4d01e, len=0xc5)
[#1] 0x555555569599 → Name: do_checksum(tcpedit=0x5555557b86c0, data=0x7ffff7e4d01e "b", proto=0x0, len=0xed)
[#2] 0x555555565fbc → Name: fix_ipv4_checksums(tcpedit=0x5555557b86c0, pkthdr=0x7fffffffdd30, ip_hdr=0x7ffff7e4d01e)
[#3] 0x555555564991 → Name: tcpedit_packet(tcpedit=0x5555557b86c0, pkthdr=0x7fffffffdca0, pktdata=0x7fffffffdc90, direction=TCPR_DIR_C2S)
[#4] 0x55555555c589 → Name: send_packets(ctx=0x5555557aa260, pcap=0x5555557ba860, idx=0x0)
[#5] 0x555555563169 → Name: replay_file(ctx=0x5555557aa260, idx=0x0)
[#6] 0x555555562a1b → Name: tcpr_replay_index(ctx=0x5555557aa260)
[#7] 0x555555562341 → Name: tcpreplay_replay(ctx=0x5555557aa260)
[#8] 0x55555555f112 → Name: main(argc=0x1, argv=0x7fffffffe540)


gef➤ p exthdr
Cannot access memory at address 0x0
gef➤ p exthdr->ip_nh 
Cannot access memory at address 0x0

[carnil]

CVE-2019-8377 was assigned for this issue.

[fklassen]

Fixed in PR #544 & #546