Headline
CVE-2022-37048: [Bug] heap-overflow in get.c:344 · Issue #735 · appneta/tcpreplay
The component tcprewrite in Tcpreplay v4.4.1 was discovered to contain a heap-based buffer overflow in get_l2len_protocol at common/get.c:344. NOTE: this is different from CVE-2022-27941.
You are opening a bug report against the Tcpreplay project: we use
GitHub Issues for tracking bug reports and feature requests.
If you have a question about how to use Tcpreplay, you are at the wrong
site. You can ask a question on the tcpreplay-users mailing list
or on Stack Overflow with [tcpreplay] tag.
General help is available here.
If you have a build issue, consider downloading the latest release
Otherwise, to report a bug, please fill out the reproduction steps
(below) and delete these introductory paragraphs. Thanks!
Describe the bug
A clear and concise description of what the bug is.
There is a heap-overflow bug in get_ipv6_next. Different from #716 (The crash point is in line 322, ntohs(eth_hdr->ether_type);), this bug is triggered in line 344 (pktdata[l2_net_off] >> 4).
To Reproduce
Steps to reproduce the behavior:
- export CC=clang && export CFLAGS="-fsanitize=address -g"
- ./autogen.sh && ./configure --disable-shared --disable-local-libopts && make clean && make -j8
- tcpprep --auto=bridge --pcap=POC --cachefile=/dev/null
Expected behavior
A clear and concise description of what you expected to happen.
The program does not crash.
Screenshots
If applicable, add screenshots to help explain your problem.
System (please complete the following information):
- OS: Debian
- OS version: buster
- Tcpreplay Version: 09f0774
Additional context
Add any other context about the problem here.
POC
poc.zip
Related news
Gentoo Linux Security Advisory 202210-8 - Multiple vulnerabilities have been discovered in Tcpreplay, the worst of which could result in denial of service. Versions less than 4.4.2 are affected.