-
Notifications
You must be signed in to change notification settings - Fork 265
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug] Double-free in tcpreplay's tcprewrite utility #850
Labels
Comments
POC.pcap
|
GabrielGanne
added a commit
to GabrielGanne/tcpreplay
that referenced
this issue
May 19, 2024
Assume a single tcpedit struct and return the previously allocated context. This fixes an issue with the Juniper Encapsulated Ethernet DLT plugin which has an exception in the way the plugins works with regard to the extra buffer in question: tcpreplay works with the assumption that there only ever is a single link layer plugin which is mostly true except here: Juniper has a special call to tcpedit_dlt_copy_decoder_state() which causes the ctx and subctx to share a reference to the decoded_extra buffer, and a double free. Fixes: appneta#813 appneta#850
Looks like this is the same issue as in #813 |
Closing as duplicate of #813 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
You are opening a bug report against the Tcpreplay project: we use
GitHub Issues for tracking bug reports and feature requests.
If you have a question about how to use Tcpreplay, you are at the wrong
site. You can ask a question on the tcpreplay-users mailing list
or on Stack Overflow with [tcpreplay] tag.
General help is available here.
If you have a build issue, consider downloading the latest release
Otherwise, to report a bug, please fill out the reproduction steps
(below) and delete these introductory paragraphs. Thanks!
Describe the bug
A double-free vulnerability exists within the tcprewrite utility of the tcpreplay suite. When handling specific packet capture files, tcprewrite may attempt to free the same memory location twice leading to potential code execution, denial of service, or memory corruption scenarios.
The issue occurs in the tcpedit_dlt_cleanup function, as part of the dlt_plugins.c code, and can be triggered under certain conditions, as evidenced by the provided crash file and stack trace pointing to a problem when cleaning up resources.
To Reproduce
Steps to reproduce the behavior:
Screenshots
System (please complete the following information):
The text was updated successfully, but these errors were encountered: