[Bug] tcprewrite SEGV plugins/dlt_jnpr_ether/jnpr_ether.c:167 in dlt_jnpr_ether_cleanup #812
Comments
|
./install/bin/tcprewrite --dlt=enet --enet-dmac=00:12:13:14:15:16,00:22:33:44:55:66 --enet-smac=00:12:13:14:15:16,00:22:33:44:55:66 -i ./poc2 -o /dev/null Fatal Error: Unable to open input pcap file: unknown file format |
|
The URL is directed to poc1 (https://github.com/GGb0ndQAQ/POC/blob/main/tcpreplay/tcprewrite/poc1), not poc2 (https://github.com/GGb0ndQAQ/POC/blob/main/tcpreplay/tcprewrite/poc2). A possible fix is to check |
I update the correct poc:https://github.com/GGb0ndQAQ/POC/blob/main/tcpreplay/tcprewrite/poc_dlt_jnpr_ether_cleanup Sorry, I made a mistake with the poc. I apologize for wasting your time. |
|
Thanks for fixing this for me. Fixed in PR #851 |
Describe the bug
tcprewriteSEGV plugins/dlt_jnpr_ether/jnpr_ether.c:167 in functiondlt_jnpr_ether_cleanup.To Reproduce
Steps to reproduce the behavior:
1.Get the Tcpreplay source code and compile it.
2.Run Command:
POC:https://github.com/GGb0ndQAQ/POC/blob/main/tcpreplay/tcprewrite/poc2
./tcprewrite --dlt=enet --enet-dmac=00:12:13:14:15:16,00:22:33:44:55:66 --enet-smac=00:12:13:14:15:16,00:22:33:44:55:66 -i ./poc2 -o /dev/null Warning: ./poc2 was captured using a snaplen of 50 bytes. This may mean you have truncated packets. AddressSanitizer:DEADLYSIGNAL ================================================================= ==913564==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5615797eef4e bp 0x7fffec90ba30 sp 0x7fffec90ba10 T0) ==913564==The signal is caused by a READ memory access. ==913564==Hint: address points to the zero page. #0 0x5615797eef4e in dlt_jnpr_ether_cleanup plugins/dlt_jnpr_ether/jnpr_ether.c:167 #1 0x5615797ddd51 in tcpedit_dlt_cleanup plugins/dlt_plugins.c:450 #2 0x5615797cdee6 in tcpedit_close /home/lzy/CarpetFuzz/oss/tcpreplay/src/tcpedit/tcpedit.c:555 #3 0x5615797c9dcc in main /home/lzy/CarpetFuzz/oss/tcpreplay/src/tcprewrite.c:146 #4 0x7f37d6438564 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x28564) #5 0x5615797c722d in _start (/home/lzy/CarpetFuzz/oss/tcpreplay/build-g/bin/tcprewrite+0x1d22d) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV plugins/dlt_jnpr_ether/jnpr_ether.c:167 in dlt_jnpr_ether_cleanup ==913564==ABORTINGgdbinfo
$ gdb --args ./tcprewrite --dlt=enet --enet-dmac=00:12:13:14:15:16,00:22:33:44:55:66 --enet-smac=00:12:13:14:15:16,00:22:33:44:55:66 -i ./poc2 -o /dev/null gef➤ r 162 if (plugin->config != NULL) { 163 /* clean up the en10mb plugin */ 164 jnpr_ether_config_t *config; 165 166 config = (jnpr_ether_config_t *)ctx->encoder->config; // config=0x00007fffffffe068 → 0x0000000000000000 → 167 if (config->subctx != NULL) 168 tcpedit_dlt_cleanup(config->subctx); 169 safe_free(plugin->config); 170 plugin->config = NULL; 171 plugin->config_size = 0; 172 } ──────────────────────────────────────────────────────────────── threads ──── [#0] Id 1, Name: "tcprewrite", stopped 0x555555598f4e in dlt_jnpr_ether_cleanup (), reason: SIGSEGV ───────────────────────────────────────────────────────────────────── trace ──── [#0] 0x555555598f4e → dlt_jnpr_ether_cleanup(ctx=0x60b0000000f0) [#1] 0x555555587d52 → tcpedit_dlt_cleanup(ctx=0x60b0000000f0) [#2] 0x555555577ee7 → tcpedit_close(tcpedit_ex=0x55555560d920 <tcpedit>) [#3] 0x555555573dcd → main(argc=0x0, argv=0x7fffffffe238) ──────────────────────────────────────────────────────────────────────────────── gef➤ bt #0 0x0000555555598f4e in dlt_jnpr_ether_cleanup (ctx=0x60b0000000f0) at plugins/dlt_jnpr_ether/jnpr_ether.c:167 #1 0x0000555555587d52 in tcpedit_dlt_cleanup (ctx=0x60b0000000f0) at plugins/dlt_plugins.c:450 #2 0x0000555555577ee7 in tcpedit_close (tcpedit_ex=0x55555560d920 <tcpedit>) at tcpedit.c:555 #3 0x0000555555573dcd in main (argc=0x0, argv=0x7fffffffe238) at tcprewrite.c:146 gef➤ print config->subctx Cannot access memory at address 0x0Environment
OS: Ubuntu
20.04.5 LTSCompiler:
gcc version 9.4.0Tcpreplay Version: master commit
43693c4a92dda227a5134ae5e71a7247ae345323IMPACT
Potentially causing DoS or Arbitrary Read
The text was updated successfully, but these errors were encountered: