[Bug] TCPREWRITE IPv4 Checksums Use-After-Free Vulnerability in fix_ipv4_checksums Function

[err2zero]

Summary

A critical use-after-free vulnerability exists in the tcprewrite utility from the tcpreplay package. The vulnerability occurs in the fix_ipv4_checksums function within edit_packet.c at line 69, triggered when processing packet data after memory reallocation. This specific vulnerability affects IPv4 packet checksum calculation and leads to heap use-after-free memory access, causing program termination with SIGABRT.

Technical Details

• Vulnerability Type: Heap Use-After-Free
• Affected Function: fix_ipv4_checksums
• Source File: edit_packet.c
• Line Number: 69:17
• Signal: SIGABRT (06)

Vulnerability Mechanism and Root Cause

This use-after-free vulnerability is specific to IPv4 checksum calculation during packet editing operations. The vulnerability occurs when the fix_ipv4_checksums function attempts to access packet memory that has been reallocated by the untrunc_packet function, but the function continues to use the original, now-freed memory pointer.

The vulnerability sequence occurs as follows:

1. The tcpedit_packet function initiates packet editing at tcpedit.c:339
2. During packet processing, untrunc_packet is called at edit_packet.c:562, which uses realloc to resize the packet buffer
3. The realloc operation moves the packet data to a new memory location and frees the original buffer
4. The fix_ipv4_checksums function at edit_packet.c:69:17 continues to use the old pointer to access IPv4 header data
5. This results in a READ operation on freed memory, triggering AddressSanitizer detection
6. The program terminates with heap use-after-free error

This vulnerability specifically affects IPv4 packet processing where checksum recalculation is required during packet modification operations.

AddressSanitizer Report

=================================================================
==398647==ERROR: AddressSanitizer: heap-use-after-free on address 0x7fb30afb080e at pc 0x558304353d9f bp 0x7ffda9e877d0 sp 0x7ffda9e877c8
READ of size 1 at 0x7fb30afb080e thread T0
    #0 0x558304353d9e in fix_ipv4_checksums /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcpedit/edit_packet.c:69:17
    #1 0x558304353d9e in tcpedit_packet /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcpedit/tcpedit.c:339:22
    #2 0x5583043478d5 in rewrite_packets /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcprewrite.c:296:22
    #3 0x5583043461ce in main /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcprewrite.c:137:9
    #4 0x7fb30b9c3d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #5 0x7fb30b9c3e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #6 0x55830426b9e4 in _start (/workspace/benchmark/fuzzdir/fz-tcpreplay/fz-tcprewrite/tcprewrite+0x859e4) (BuildId: 557d83638ad04334)

0x7fb30afb080e is located 14 bytes inside of 262166-byte region [0x7fb30afb0800,0x7fb30aff0816)
freed by thread T0 here:
    #0 0x558304305c35 in realloc (/workspace/benchmark/fuzzdir/fz-tcpreplay/fz-tcprewrite/tcprewrite+0x11fc35) (BuildId: 557d83638ad04334)
    #1 0x55830434d579 in our_safe_realloc /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/common/utils.c:66:16
    #2 0x55830434d579 in untrunc_packet /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcpedit/edit_packet.c:562:22
    #3 0x55830434d579 in tcpedit_packet /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcpedit/tcpedit.c:262:23
    #4 0x5583043478d5 in rewrite_packets /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcprewrite.c:296:22
    #5 0x5583043461ce in main /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcprewrite.c:137:9
    #6 0x7fb30b9c3d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

previously allocated by thread T0 here:
    #0 0x55830430580e in malloc (/workspace/benchmark/fuzzdir/fz-tcpreplay/fz-tcprewrite/tcprewrite+0x11f80e) (BuildId: 557d83638ad04334)
    #1 0x55830434754f in our_safe_malloc /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/common/utils.c:42:16
    #2 0x55830434754f in rewrite_packets /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcprewrite.c:259:34
    #3 0x5583043461ce in main /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcprewrite.c:137:9
    #4 0x7fb30b9c3d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-use-after-free /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcpedit/edit_packet.c:69:17 in fix_ipv4_checksums
==398647==ABORTING
Aborted (core dumped)

Proof of Concept

The vulnerability can be triggered by processing the malformed packet capture file provided as POC_tcprewrite_ipv4_checksums_use_after_free_69. This file contains specific packet structures that trigger the IPv4 checksum recalculation path after memory reallocation, leading to the use-after-free condition.

POC File: POC_tcprewrite_ipv4_checksums_use_after_free_69

Reproduction Steps

1. Compile tcprewrite with AddressSanitizer enabled
2. Execute: tcprewrite --fixlen pad -i POC_tcprewrite_ipv4_checksums_use_after_free_69 -o /dev/null
3. The program will crash with a heap use-after-free error in the IPv4 checksum function

Affected Versions

tcpreplay version 6fcbf03 (the newest master in https://github.com/appneta/tcpreplay)

Credit

• Shuhao Li (Zhongguancun Laboratory)
• Xudong Cao (UCAS)
• Yuqing Zhang (UCAS, Zhongguancun Laboratory)

[fklassen]

Fixed in PR #479 - do not use realloc()