Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] tcprewrite SEGV plugins/dlt_jnpr_ether/jnpr_ether.c:167 in dlt_jnpr_ether_cleanup #812

Open
CCyb3rN1nj4 opened this issue Jul 2, 2023 · 3 comments · May be fixed by #851
Open

[Bug] tcprewrite SEGV plugins/dlt_jnpr_ether/jnpr_ether.c:167 in dlt_jnpr_ether_cleanup #812

CCyb3rN1nj4 opened this issue Jul 2, 2023 · 3 comments · May be fixed by #851

Comments

@CCyb3rN1nj4
Copy link

Describe the bug

tcprewrite SEGV plugins/dlt_jnpr_ether/jnpr_ether.c:167 in function dlt_jnpr_ether_cleanup.

To Reproduce

Steps to reproduce the behavior:
1.Get the Tcpreplay source code and compile it.

git clone https://github.com/appneta/tcpreplay.git

export CFLAGS="-g -O0 -lpthread -fsanitize=address"
export CXXFLAGS="-g -O0 -lpthread -fsanitize=address"
export LDFLAGS="-fsanitize=address -fPIE"

./configure --disable-shared 
make -j8
cd bin

2.Run Command:
POC:https://github.com/GGb0ndQAQ/POC/blob/main/tcpreplay/tcprewrite/poc2

./tcprewrite --dlt=enet --enet-dmac=00:12:13:14:15:16,00:22:33:44:55:66 --enet-smac=00:12:13:14:15:16,00:22:33:44:55:66   -i ./poc2 -o /dev/null
Warning: ./poc2 was captured using a snaplen of 50 bytes.  This may mean you have truncated packets.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==913564==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5615797eef4e bp 0x7fffec90ba30 sp 0x7fffec90ba10 T0)
==913564==The signal is caused by a READ memory access.
==913564==Hint: address points to the zero page.
    #0 0x5615797eef4e in dlt_jnpr_ether_cleanup plugins/dlt_jnpr_ether/jnpr_ether.c:167
    #1 0x5615797ddd51 in tcpedit_dlt_cleanup plugins/dlt_plugins.c:450
    #2 0x5615797cdee6 in tcpedit_close /home/lzy/CarpetFuzz/oss/tcpreplay/src/tcpedit/tcpedit.c:555
    #3 0x5615797c9dcc in main /home/lzy/CarpetFuzz/oss/tcpreplay/src/tcprewrite.c:146
    #4 0x7f37d6438564 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x28564)
    #5 0x5615797c722d in _start (/home/lzy/CarpetFuzz/oss/tcpreplay/build-g/bin/tcprewrite+0x1d22d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV plugins/dlt_jnpr_ether/jnpr_ether.c:167 in dlt_jnpr_ether_cleanup
==913564==ABORTING

gdbinfo

$ gdb --args ./tcprewrite --dlt=enet --enet-dmac=00:12:13:14:15:16,00:22:33:44:55:66 --enet-smac=00:12:13:14:15:16,00:22:33:44:55:66   -i ./poc2 -o /dev/null

gef➤  r
    162      if (plugin->config != NULL) {
    163          /* clean up the en10mb plugin */
    164          jnpr_ether_config_t *config;
    165  
    166          config = (jnpr_ether_config_t *)ctx->encoder->config;
                 // config=0x00007fffffffe068  →  0x0000000000000000
 →  167          if (config->subctx != NULL)
    168              tcpedit_dlt_cleanup(config->subctx);
    169          safe_free(plugin->config);
    170          plugin->config = NULL;
    171          plugin->config_size = 0;
    172      }
──────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "tcprewrite", stopped 0x555555598f4e in dlt_jnpr_ether_cleanup (), reason: SIGSEGV
───────────────────────────────────────────────────────────────────── trace ────
[#0] 0x555555598f4e → dlt_jnpr_ether_cleanup(ctx=0x60b0000000f0)
[#1] 0x555555587d52 → tcpedit_dlt_cleanup(ctx=0x60b0000000f0)
[#2] 0x555555577ee7 → tcpedit_close(tcpedit_ex=0x55555560d920 <tcpedit>)
[#3] 0x555555573dcd → main(argc=0x0, argv=0x7fffffffe238)
────────────────────────────────────────────────────────────────────────────────
gef➤  bt
#0  0x0000555555598f4e in dlt_jnpr_ether_cleanup (ctx=0x60b0000000f0) at plugins/dlt_jnpr_ether/jnpr_ether.c:167
#1  0x0000555555587d52 in tcpedit_dlt_cleanup (ctx=0x60b0000000f0) at plugins/dlt_plugins.c:450
#2  0x0000555555577ee7 in tcpedit_close (tcpedit_ex=0x55555560d920 <tcpedit>) at tcpedit.c:555
#3  0x0000555555573dcd in main (argc=0x0, argv=0x7fffffffe238) at tcprewrite.c:146
gef➤  print config->subctx
Cannot access memory at address 0x0

Environment

OS: Ubuntu 20.04.5 LTS
Compiler: gcc version 9.4.0
Tcpreplay Version: master commit 43693c4a92dda227a5134ae5e71a7247ae345323

IMPACT

Potentially causing DoS or Arbitrary Read
@Aloof77
Copy link

Aloof77 commented Jul 3, 2023

./install/bin/tcprewrite --dlt=enet --enet-dmac=00:12:13:14:15:16,00:22:33:44:55:66 --enet-smac=00:12:13:14:15:16,00:22:33:44:55:66 -i ./poc2 -o /dev/null

Fatal Error: Unable to open input pcap file: unknown file format

@Marsman1996
Copy link
Contributor

Marsman1996 commented Jul 11, 2023
edited

The URL is directed to poc1 (https://github.com/GGb0ndQAQ/POC/blob/main/tcpreplay/tcprewrite/poc1), not poc2 (https://github.com/GGb0ndQAQ/POC/blob/main/tcpreplay/tcprewrite/poc2).

A possible fix is to check config before checking config->subctx.

@CCyb3rN1nj4
Copy link
Author

CCyb3rN1nj4 commented Jul 11, 2023
edited

./install/bin/tcprewrite --dlt=enet --enet-dmac=00:12:13:14:15:16,00:22:33:44:55:66 --enet-smac=00:12:13:14:15:16,00:22:33:44:55:66 -i ./poc2 -o /dev/null

Fatal Error: Unable to open input pcap file: unknown file format

I update the correct poc:https://github.com/GGb0ndQAQ/POC/blob/main/tcpreplay/tcprewrite/poc_dlt_jnpr_ether_cleanup

Sorry, I made a mistake with the poc. I apologize for wasting your time.

@Marsman1996 Marsman1996 linked a pull request Apr 2, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

dlt_jnpr_ether_cleanup: check config before cleanup Marsman1996/tcpreplay
3 participants
@Marsman1996 @Aloof77 @CCyb3rN1nj4