Use-after-free in post_args() #489
Description
A heap use-after-free issue exists in tcpbridge binary of tcpreplay, being triggered in function post_args() at file src/tcpbridge.c.
Tested version:
4.3.0-beta1
Command:
tcpbridge --intf1=en7
Debugging
Source - tcpbridge.c:219
214 if ((eth_buff = sendpacket_get_hwaddr(sp)) == NULL) {
215 warnx("Unable to get MAC address: %s", sendpacket_geterr(sp));
216 err(-1, "Please consult the man page for using the -M option.");
217 }
218 sendpacket_close(sp); // Freed
219 memcpy(options.intf1_mac, eth_buff, ETHER_ADDR_LEN); //use-after-free - Invalid read
220 }
gef> p sp
$1 = (sendpacket_t *) 0xb4203680
gef> ptype eth_buff
type = struct tcpr_ether_addr {
uint8_t ether_addr_octet[6];
} *
ASAN Report
==21234==ERROR: AddressSanitizer: heap-use-after-free on address 0xb4203b38 at pc 0x0804e6e3 bp 0xbffff1e8 sp 0xbffff1d8
READ of size 6 at 0xb4203b38 thread T0
#0 0x804e6e2 in post_args /home/loginsoft/ACE/tcpreplay/src/tcpbridge.c:219
#1 0x804d48a in main /home/loginsoft/ACE/tcpreplay/src/tcpbridge.c:72
#2 0xb7835636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
#3 0x804a955 (/usr/local/bin/tcpbridge+0x804a955)
0xb4203b38 is located 1208 bytes inside of 1240-byte region [0xb4203680,0xb4203b58)
freed by thread T0 here:
#0 0xb7ad0a84 in free (/usr/lib/i386-linux-gnu/libasan.so.2+0x96a84)
#1 0x807b714 in _our_safe_free /home/loginsoft/ACE/tcpreplay/src/common/utils.c:118
#2 0x807f34e in sendpacket_close /home/loginsoft/ACE/tcpreplay/src/common/sendpacket.c:636
#3 0x804e677 in post_args /home/loginsoft/ACE/tcpreplay/src/tcpbridge.c:218
#4 0x804d48a in main /home/loginsoft/ACE/tcpreplay/src/tcpbridge.c:72
#5 0xb7835636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
previously allocated by thread T0 here:
#0 0xb7ad0dee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee)
#1 0x807b4b0 in _our_safe_malloc /home/loginsoft/ACE/tcpreplay/src/common/utils.c:50
#2 0x807ff10 in sendpacket_open_pf /home/loginsoft/ACE/tcpreplay/src/common/sendpacket.c:956
#3 0x807e932 in sendpacket_open /home/loginsoft/ACE/tcpreplay/src/common/sendpacket.c:523
#4 0x804e4f3 in post_args /home/loginsoft/ACE/tcpreplay/src/tcpbridge.c:211
#5 0x804d48a in main /home/loginsoft/ACE/tcpreplay/src/tcpbridge.c:72
#6 0xb7835636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
SUMMARY: AddressSanitizer: heap-use-after-free /home/loginsoft/ACE/tcpreplay/src/tcpbridge.c:219 post_args
Shadow bytes around the buggy address:
0x36840710: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x36840720: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x36840730: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x36840740: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x36840750: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x36840760: fd fd fd fd fd fd fd[fd]fd fd fd fa fa fa fa fa
0x36840770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36840780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36840790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x368407a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x368407b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==21234==ABORTING
No reproducer file required.