[Bug] Double-free in tcpreplay's tcprewrite utility #850
Description
You are opening a bug report against the Tcpreplay project: we use
GitHub Issues for tracking bug reports and feature requests.
If you have a question about how to use Tcpreplay, you are at the wrong
site. You can ask a question on the tcpreplay-users mailing list
or on Stack Overflow with [tcpreplay] tag.
General help is available here.
If you have a build issue, consider downloading the latest release
Otherwise, to report a bug, please fill out the reproduction steps
(below) and delete these introductory paragraphs. Thanks!
Describe the bug
A double-free vulnerability exists within the tcprewrite utility of the tcpreplay suite. When handling specific packet capture files, tcprewrite may attempt to free the same memory location twice leading to potential code execution, denial of service, or memory corruption scenarios.
The issue occurs in the tcpedit_dlt_cleanup function, as part of the dlt_plugins.c code, and can be triggered under certain conditions, as evidenced by the provided crash file and stack trace pointing to a problem when cleaning up resources.
To Reproduce
Steps to reproduce the behavior:
- export CC=clang && export CFLAGS="-fsanitize=address -g"
- ./autogen.sh && ./configure --disable-shared --disable-local-libopts && make clean && make -j8
- tcprewrite -o /dev/null -i POC.pcap
Screenshots
Warning: ./id:000000,sig:06,sync:master_write,src:000138 was captured using a snaplen of 9999 bytes. This may mean you have truncated packets.
=================================================================
==1515869==ERROR: AddressSanitizer: attempting double-free on 0x503000000280 in thread T0:
#0 0x55ddaa37b476 in free (/usr/local/bin/tcprewrite+0xdf476)
#1 0x55ddaa3d0b51 in tcpedit_dlt_cleanup /home/shf/固件代码/tcpreplay/src/tcpedit/plugins/dlt_plugins.c:466:9
#2 0x55ddaa3be500 in tcpedit_close /home/shf/固件代码/tcpreplay/src/tcpedit/tcpedit.c:555:9
#3 0x55ddaa3ba07c in main /home/shf/固件代码/tcpreplay/src/tcprewrite.c:146:5
#4 0x7f395fe22082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16
#5 0x55ddaa2e065d in _start (/usr/local/bin/tcprewrite+0x4465d)
0x503000000280 is located 0 bytes inside of 20-byte region [0x503000000280,0x503000000294)
freed by thread T0 here:
#0 0x55ddaa37b476 in free (/usr/local/bin/tcprewrite+0xdf476)
#1 0x55ddaa3d0b51 in tcpedit_dlt_cleanup /home/shf/固件代码/tcpreplay/src/tcpedit/plugins/dlt_plugins.c:466:9
previously allocated by thread T0 here:
#0 0x55ddaa37b71e in malloc (/usr/local/bin/tcprewrite+0xdf71e)
#1 0x55ddaa3f33f6 in our_safe_malloc /home/shf/固件代码/tcpreplay/src/common/utils.c:42:16
SUMMARY: AddressSanitizer: double-free (/usr/local/bin/tcprewrite+0xdf476) in free
==1515869==ABORTING
System (please complete the following information):
- OS: Ubuntu
- OS 20.04.1
- Tcpreplay Version 4.4.4