[Bug] Reachable assertion in tcpedit_dlt_cleanup() at plugins/dlt_plugins.c

[Marsman1996]

Describe the bug
There is a reachable assertion in tcpedit_dlt_cleanup() when when the user uses tcprewrite to open a crafted pcap file in DLT_JUNIPER_ETHER mode.

To Reproduce
Steps to reproduce the behavior:

1. Get the Tcpreplay source code and compile it.

$ ./configure
$ make

2. Run Command $ ./tcprewrite --dlt="jnpr_eth" -i $POC -o /dev/null
   The POC file could be downloaded here:
   POC file

Expected behavior
Program reports assertion failure and is terminated.

The GDB report:

$ gdb --args ./bin_normal/bin/tcprewrite --dlt="jnpr_eth" -i ./poc-tcprewrite-bcb107a-tcpedit_dlt_cleanup-assertion -o /dev/null

(gdb) r
Starting program: /home/ubuntu178/cvelibf/test/tcpreplay/latest/bin_normal/bin/tcprewrite --dlt=jnpr_eth -i ./poc-tcprewrite-bcb107a-tcpedit_dlt_cleanup-assertion -o /dev/null
Warning: ./poc-tcprewrite-bcb107a-tcpedit_dlt_cleanup-assertion was captured using a snaplen of 96 bytes.  This may mean you have truncated packets.
tcprewrite: plugins/dlt_plugins.c:462: tcpedit_dlt_cleanup: Assertion `ctx' failed.

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff7d6d859 in __GI_abort () at abort.c:79
#2  0x00007ffff7d6d729 in __assert_fail_base (fmt=0x7ffff7f03588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x555555572ae6 "ctx", file=0x555555572ad0 "plugins/dlt_plugins.c", line=462, 
    function=<optimized out>) at assert.c:92
#3  0x00007ffff7d7ef36 in __GI___assert_fail (assertion=0x555555572ae6 "ctx", file=0x555555572ad0 "plugins/dlt_plugins.c", line=462, function=0x555555572fb0 <__PRETTY_FUNCTION__.7740> "tcpedit_dlt_cleanup")
    at assert.c:101
#4  0x000055555556156d in tcpedit_dlt_cleanup (ctx=0x0) at plugins/dlt_plugins.c:462
#5  0x0000555555569aca in dlt_jnpr_ether_cleanup (ctx=0x555555580090) at plugins/dlt_jnpr_ether/jnpr_ether.c:171
#6  0x000055555556158c in tcpedit_dlt_cleanup (ctx=0x555555580090) at plugins/dlt_plugins.c:466
#7  0x000055555555a763 in tcpedit_close (tcpedit_ex=0x55555557db60 <tcpedit>) at tcpedit.c:599
#8  0x0000555555558f02 in main (argc=0, argv=0x7fffffffde38) at tcprewrite.c:154

System (please complete the following information):

• OS: Ubuntu
• OS version: 20.04, 64 bit
• Tcpreplay Version: master bcb107a

$ ./bin_normal/bin/tcprewrite -V
tcprewrite version: 4.4.3 (build git:v4.4.3)
Copyright 2013-2022 by Fred Klassen <tcpreplay at appneta dot com> - AppNeta
Copyright 2000-2012 by Aaron Turner <aturner at synfin dot net>
The entire Tcpreplay Suite is licensed under the GPLv3
Cache file supported: 04
Not compiled with libdnet.
Compiled against libpcap: 1.9.1
64 bit packet counters: enabled
Verbose printing via tcpdump: enabled
Fragroute engine: disabled

[Marsman1996]

This problem is because in dlt_jnpr_ether_cleanup(), the program does not check the subctx before calling the tcpedit_dlt_cleanup().

#781 could fix this.

[fklassen]

Thanks for the PR. Verified and targeted for v4.4.4

[fklassen]

Fixed in PR #780 and documented in PR #800.

[ArchanaWind]

Hi @Marsman1996
Is this bug is present tcpreplay-4.4.2 version as well ?

Thanks in advance

[Marsman1996]

Hi @Marsman1996 Is this bug is present tcpreplay-4.4.2 version as well ?

Thanks in advance

Hi @ArchanaWind

This bug is able to be triggered in tcpreplay-4.4.2.
I think it is reasonable since the check for config->subctx was not added.

Here is the test log:

❯ ./bin_normal/bin/tcprewrite --version
tcprewrite version: 4.4.2 (build git:v4.4.2)
Copyright 2013-2022 by Fred Klassen <tcpreplay at appneta dot com> - AppNeta
Copyright 2000-2012 by Aaron Turner <aturner at synfin dot net>
The entire Tcpreplay Suite is licensed under the GPLv3
Cache file supported: 04
Not compiled with libdnet.
Compiled against libpcap: 1.7.4
64 bit packet counters: enabled
Verbose printing via tcpdump: enabled
Fragroute engine: disabled

❯ gdb --args ./bin_normal/bin/tcprewrite --dlt="jnpr_eth" -i ./poc-tcprewrite-bcb107a-tcpedit_dlt_cleanup-assertion -o /dev/null

(gdb) r
Starting program: /opt/disk/marsman/tcpreplay/4.4.2/bin_normal/bin/tcprewrite --dlt=jnpr_eth -i ./poc-tcprewrite-bcb107a-tcpedit_dlt_cleanup-assertion -o /dev/null
Warning: ./poc-tcprewrite-bcb107a-tcpedit_dlt_cleanup-assertion was captured using a snaplen of 96 bytes.  This may mean you have truncated packets.
tcprewrite: ../../../code/src/tcpedit/plugins/dlt_plugins.c:462: tcpedit_dlt_cleanup: Assertion `ctx' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff7801438 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
54      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007ffff7801438 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007ffff780303a in __GI_abort () at abort.c:89
#2  0x00007ffff77f9be7 in __assert_fail_base (fmt=<optimized out>, assertion=assertion@entry=0x423ffa "ctx", file=file@entry=0x424410 "../../../code/src/tcpedit/plugins/dlt_plugins.c", line=line@entry=462, 
    function=function@entry=0x4246f0 <__PRETTY_FUNCTION__.7825> "tcpedit_dlt_cleanup") at assert.c:92
#3  0x00007ffff77f9c92 in __GI___assert_fail (assertion=assertion@entry=0x423ffa "ctx", file=file@entry=0x424410 "../../../code/src/tcpedit/plugins/dlt_plugins.c", line=line@entry=462, 
    function=function@entry=0x4246f0 <__PRETTY_FUNCTION__.7825> "tcpedit_dlt_cleanup") at assert.c:101
#4  0x00000000004091d3 in tcpedit_dlt_cleanup (ctx=<optimized out>) at ../../../code/src/tcpedit/plugins/dlt_plugins.c:462
#5  0x000000000040ecf2 in dlt_jnpr_ether_cleanup (ctx=0x637e60) at ../../../code/src/tcpedit/plugins/dlt_jnpr_ether/jnpr_ether.c:171
#6  0x0000000000409136 in tcpedit_dlt_cleanup (ctx=0x637e60) at ../../../code/src/tcpedit/plugins/dlt_plugins.c:466
#7  0x00000000004044f3 in tcpedit_close (tcpedit_ex=tcpedit_ex@entry=0x635620 <tcpedit>) at ../../../code/src/tcpedit/tcpedit.c:599
#8  0x0000000000402a32 in main (argc=<optimized out>, argv=<optimized out>) at ../../code/src/tcprewrite.c:154