-
Notifications
You must be signed in to change notification settings - Fork 268
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug] tcpreplay-edit ——heap-use-after-free in get_ipv6_next() at get.c:454 #578
Comments
Thanks for the detailed bug report. I am getting a different report, possibly due to #584 fix.
Note that I added a |
fklassen
added a commit
that referenced
this issue
Jun 1, 2020
fklassen
added a commit
that referenced
this issue
Jun 1, 2020
fklassen
added a commit
that referenced
this issue
Jun 1, 2020
…_free Bug #578 get_ipv6_next use after free
Fixed in PR #587.
|
fklassen
added a commit
that referenced
this issue
Jun 1, 2020
fklassen
added a commit
that referenced
this issue
Jun 1, 2020
…ndomize_iparp Bug #578 guard HBO in randomize_xxx functions
fklassen
added a commit
that referenced
this issue
Jun 2, 2020
fklassen
added a commit
that referenced
this issue
Jun 2, 2020
…_checksum Bug #578 guard HBO in randomize_xxx functions
This was referenced Jun 2, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
A heap-use-after-free bug was discovered in tcpreplay-edit binary, during the structure 'exthdr' points to the memory address released after use. The issue is being triggered in the function get_ipv6_next() at common/get.c:454.
To Reproduce
Steps to reproduce the behavior:
./configure CFLAGS="-g -O0 -fsanitize=address"
tcpreplay-edit -r 80:84 -s 20 -b -C -m 1500 -P --oneatatime -i lo $poc
poc can be found here.
Expected behavior
An attacker can exploit this vulnerability by submitting a malicious pcap that exploits this issue. This will result in a Denial of Service (DoS), potentially Information Exposure and even Code Execution when the application attempts to process the file.
Screenshots
ASAN Reports
Debug
Possible cause of vulnerability
Firstly, the address 0x611000009c87 is malloced in pcap_findalldevs() at interface.c:100
Then the target address is freed in function pcap_freealldevs() at interface.c:196
The get_ipv6_next() lacks the check for exthdr + len, resulting in a reference to the memory that has been released.
System (please complete the following information):
The text was updated successfully, but these errors were encountered: