-
Notifications
You must be signed in to change notification settings - Fork 268
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
stack-buffer-overflow in tcpcapinfo #405
Comments
I see a different error. My error suggests (correctly) that the file has ended abruptly. What is the output of
|
Did you build Asan? No output in no-Asan build . OS: Ubuntu 16.04.2 32bit |
@gy741 pardon my ignorance. What is Asan? |
AddressSanitizer (aka ASan) is a memory error detector for C/C++. You can enable ASan bulid by installing clang and enabling the "fsanitize=address" option. My compile command: CFLAGS="-fsanitize=address -ggdb3" CXXFLAGS="fsanitize=address -ggdb3" LDFLAGS="-fsanitize=address -ggdb3" ./configure --disable-local-libopts --disable-libopts-install && make Reference: https:/google/sanitizers/wiki/AddressSanitizer Thanks. |
Thanks for the insight. I think I can use that in other projects. I have found lots of issues with clang static code analysis. I'm sure I'll find more with ASan. It will take some work to get this to work in my dev environment. I am on Debian 7 and have to add
|
Security researchers are using ASan a lot. The tcpreplay tool is a great tool. Please let me know if PoC reproduction fails. I will provide you with a virtual machine. Thanks. |
This looks very similar to #278 but that was patched. Wondering if it is the same issue but the previous patch was incomplete? |
@attritionorg thanks. Reopening #278 |
Please consider an additional size check as below. It avoids the crash for and also several more found by afl. Also, please make the buffer size a constant. --- a/src/tcpcapinfo.c
+++ b/src/tcpcapinfo.c
@@ -306,6 +306,14 @@
last_usec = pcap_ph.ts.tv_usec;
}
+ if (caplen > 10000) {
+ printf("\n\nCapture file appears to be damaged or corrupt.\n"
+ "Contains packet of size %u, bigger than buffer length %u\n",
+ caplen, 10000);
+ close(fd);
+ break;
+ }
+
/* read the frame */
if ((ret = read(fd, &buf, caplen)) != caplen) {
if (ret < 0) { Cheers, |
@cbiedl thanks. I'll try it out this weekend. |
…pcapinfo #405 prevent buffer overrun on read
Fixed in #442 |
Hi.
I found Crash in tcpcapinfo
Please confirm.
PoC : Download
Thanks.
OS: Ubuntu 16.04.2 32bit
To reproduce: ./tcpcapinfo poc
tcpcapinfo version: 4.2.6 (build git:v4.2.6-4-g54da347)
Copyright 2000-2010 by Aaron Turner
The entire Tcpreplay Suite is licensed under the GPLv3
valgrind Information:
Asan Information
The text was updated successfully, but these errors were encountered: