Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug] Reachable assertion in tcpedit_dlt_cleanup() at plugins/dlt_plugins.c #780

Closed
Marsman1996 opened this issue Mar 1, 2023 · 5 comments · Fixed by #781
Closed

[Bug] Reachable assertion in tcpedit_dlt_cleanup() at plugins/dlt_plugins.c #780

Marsman1996 opened this issue Mar 1, 2023 · 5 comments · Fixed by #781
Assignees
Labels
Projects

Comments

@Marsman1996
Copy link
Contributor

Describe the bug
There is a reachable assertion in tcpedit_dlt_cleanup() when when the user uses tcprewrite to open a crafted pcap file in DLT_JUNIPER_ETHER mode.

To Reproduce
Steps to reproduce the behavior:

  1. Get the Tcpreplay source code and compile it.
$ ./configure
$ make
  1. Run Command $ ./tcprewrite --dlt="jnpr_eth" -i $POC -o /dev/null
    The POC file could be downloaded here:
    POC file

Expected behavior
Program reports assertion failure and is terminated.

The GDB report:

$ gdb --args ./bin_normal/bin/tcprewrite --dlt="jnpr_eth" -i ./poc-tcprewrite-bcb107a-tcpedit_dlt_cleanup-assertion -o /dev/null

(gdb) r
Starting program: /home/ubuntu178/cvelibf/test/tcpreplay/latest/bin_normal/bin/tcprewrite --dlt=jnpr_eth -i ./poc-tcprewrite-bcb107a-tcpedit_dlt_cleanup-assertion -o /dev/null
Warning: ./poc-tcprewrite-bcb107a-tcpedit_dlt_cleanup-assertion was captured using a snaplen of 96 bytes.  This may mean you have truncated packets.
tcprewrite: plugins/dlt_plugins.c:462: tcpedit_dlt_cleanup: Assertion `ctx' failed.

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff7d6d859 in __GI_abort () at abort.c:79
#2  0x00007ffff7d6d729 in __assert_fail_base (fmt=0x7ffff7f03588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x555555572ae6 "ctx", file=0x555555572ad0 "plugins/dlt_plugins.c", line=462, 
    function=<optimized out>) at assert.c:92
#3  0x00007ffff7d7ef36 in __GI___assert_fail (assertion=0x555555572ae6 "ctx", file=0x555555572ad0 "plugins/dlt_plugins.c", line=462, function=0x555555572fb0 <__PRETTY_FUNCTION__.7740> "tcpedit_dlt_cleanup")
    at assert.c:101
#4  0x000055555556156d in tcpedit_dlt_cleanup (ctx=0x0) at plugins/dlt_plugins.c:462
#5  0x0000555555569aca in dlt_jnpr_ether_cleanup (ctx=0x555555580090) at plugins/dlt_jnpr_ether/jnpr_ether.c:171
#6  0x000055555556158c in tcpedit_dlt_cleanup (ctx=0x555555580090) at plugins/dlt_plugins.c:466
#7  0x000055555555a763 in tcpedit_close (tcpedit_ex=0x55555557db60 <tcpedit>) at tcpedit.c:599
#8  0x0000555555558f02 in main (argc=0, argv=0x7fffffffde38) at tcprewrite.c:154

System (please complete the following information):

  • OS: Ubuntu
  • OS version: 20.04, 64 bit
  • Tcpreplay Version: master bcb107a
$ ./bin_normal/bin/tcprewrite -V
tcprewrite version: 4.4.3 (build git:v4.4.3)
Copyright 2013-2022 by Fred Klassen <tcpreplay at appneta dot com> - AppNeta
Copyright 2000-2012 by Aaron Turner <aturner at synfin dot net>
The entire Tcpreplay Suite is licensed under the GPLv3
Cache file supported: 04
Not compiled with libdnet.
Compiled against libpcap: 1.9.1
64 bit packet counters: enabled
Verbose printing via tcpdump: enabled
Fragroute engine: disabled
@Marsman1996
Copy link
Contributor Author

Marsman1996 commented Mar 1, 2023

This problem is because in dlt_jnpr_ether_cleanup(), the program does not check the subctx before calling the tcpedit_dlt_cleanup().

#781 could fix this.

@fklassen fklassen self-assigned this Jun 4, 2023
@fklassen fklassen added the bug label Jun 4, 2023
@fklassen fklassen added this to To do in 4.4.4 via automation Jun 4, 2023
@fklassen
Copy link
Member

fklassen commented Jun 4, 2023

Thanks for the PR. Verified and targeted for v4.4.4

fklassen added a commit that referenced this issue Jun 4, 2023
@fklassen
Copy link
Member

fklassen commented Jun 4, 2023

Fixed in PR #780 and documented in PR #800.

@fklassen fklassen closed this as completed Jun 4, 2023
4.4.4 automation moved this from To do to Done Jun 4, 2023
@ArchanaWind
Copy link

Hi @Marsman1996
Is this bug is present tcpreplay-4.4.2 version as well ?

Thanks in advance

@Marsman1996
Copy link
Contributor Author

Hi @Marsman1996 Is this bug is present tcpreplay-4.4.2 version as well ?

Thanks in advance

Hi @ArchanaWind

This bug is able to be triggered in tcpreplay-4.4.2.
I think it is reasonable since the check for config->subctx was not added.

Here is the test log:

❯ ./bin_normal/bin/tcprewrite --version
tcprewrite version: 4.4.2 (build git:v4.4.2)
Copyright 2013-2022 by Fred Klassen <tcpreplay at appneta dot com> - AppNeta
Copyright 2000-2012 by Aaron Turner <aturner at synfin dot net>
The entire Tcpreplay Suite is licensed under the GPLv3
Cache file supported: 04
Not compiled with libdnet.
Compiled against libpcap: 1.7.4
64 bit packet counters: enabled
Verbose printing via tcpdump: enabled
Fragroute engine: disabled

❯ gdb --args ./bin_normal/bin/tcprewrite --dlt="jnpr_eth" -i ./poc-tcprewrite-bcb107a-tcpedit_dlt_cleanup-assertion -o /dev/null

(gdb) r
Starting program: /opt/disk/marsman/tcpreplay/4.4.2/bin_normal/bin/tcprewrite --dlt=jnpr_eth -i ./poc-tcprewrite-bcb107a-tcpedit_dlt_cleanup-assertion -o /dev/null
Warning: ./poc-tcprewrite-bcb107a-tcpedit_dlt_cleanup-assertion was captured using a snaplen of 96 bytes.  This may mean you have truncated packets.
tcprewrite: ../../../code/src/tcpedit/plugins/dlt_plugins.c:462: tcpedit_dlt_cleanup: Assertion `ctx' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff7801438 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
54      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007ffff7801438 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007ffff780303a in __GI_abort () at abort.c:89
#2  0x00007ffff77f9be7 in __assert_fail_base (fmt=<optimized out>, assertion=assertion@entry=0x423ffa "ctx", file=file@entry=0x424410 "../../../code/src/tcpedit/plugins/dlt_plugins.c", line=line@entry=462, 
    function=function@entry=0x4246f0 <__PRETTY_FUNCTION__.7825> "tcpedit_dlt_cleanup") at assert.c:92
#3  0x00007ffff77f9c92 in __GI___assert_fail (assertion=assertion@entry=0x423ffa "ctx", file=file@entry=0x424410 "../../../code/src/tcpedit/plugins/dlt_plugins.c", line=line@entry=462, 
    function=function@entry=0x4246f0 <__PRETTY_FUNCTION__.7825> "tcpedit_dlt_cleanup") at assert.c:101
#4  0x00000000004091d3 in tcpedit_dlt_cleanup (ctx=<optimized out>) at ../../../code/src/tcpedit/plugins/dlt_plugins.c:462
#5  0x000000000040ecf2 in dlt_jnpr_ether_cleanup (ctx=0x637e60) at ../../../code/src/tcpedit/plugins/dlt_jnpr_ether/jnpr_ether.c:171
#6  0x0000000000409136 in tcpedit_dlt_cleanup (ctx=0x637e60) at ../../../code/src/tcpedit/plugins/dlt_plugins.c:466
#7  0x00000000004044f3 in tcpedit_close (tcpedit_ex=tcpedit_ex@entry=0x635620 <tcpedit>) at ../../../code/src/tcpedit/tcpedit.c:599
#8  0x0000000000402a32 in main (argc=<optimized out>, argv=<optimized out>) at ../../code/src/tcprewrite.c:154

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
4.4.4
Done
Development

Successfully merging a pull request may close this issue.

3 participants