Headline
CVE-2023-27788: [Bug] Reachable assertion in ports2PORT() at portmap.c:69 · Issue #786 · appneta/tcpreplay
An issue found in TCPrewrite v.4.4.3 allows a remote attacker to cause a denial of service via the ports2PORT function at the portmap.c:69 endpoint.
Describe the bug
There is a reachable assertion in ports2PORT() when the user passes empty portmap string to tcprewrite with option --portmap.
To Reproduce
Steps to reproduce the behavior:
Get the Tcpreplay source code and compile it.
Run Command $ ./tcprewrite --portmap="" -i ./test.pcap -o /dev/null
The file test.pcap is from tcpreplay codebase, which is located in test/test.pcap.
Expected behavior
Program reports assertion failure and is terminated.
The GDB report:
$ gdb --args ./bin_normal/bin/tcprewrite --portmap="" -i ./code/test/test.pcap -o /dev/null
(gdb) r
Starting program: /home/ubuntu178/cvelibf/test/tcpreplay/latest/bin_normal/bin/tcprewrite --portmap= -i ./code/test/test.pcap -o /dev/null
tcprewrite: portmap.c:69: ports2PORT: Assertion `ports' failed.
Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007ffff7d6d859 in __GI_abort () at abort.c:79
#2 0x00007ffff7d6d729 in __assert_fail_base (fmt=0x7ffff7f03588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x55555557242a "ports", file=0x555555572420 "portmap.c", line=69, function=<optimized out>)
at assert.c:92
#3 0x00007ffff7d7ef36 in __GI___assert_fail (assertion=0x55555557242a "ports", file=0x555555572420 "portmap.c", line=69, function=0x5555555725c0 <__PRETTY_FUNCTION__.6999> "ports2PORT") at assert.c:101
#4 0x000055555555e28d in ports2PORT (ports=0x0) at portmap.c:69
#5 0x000055555555e83a in parse_portmap (portmap=0x555555580848, ourstr=0x55555557e2a0 "") at portmap.c:197
#6 0x000055555555b2e3 in tcpedit_post_args (tcpedit=0x55555557ffc0) at parse_args.c:191
#7 0x0000555555558c23 in main (argc=0, argv=0x7fffffffc2f8) at tcprewrite.c:89
System (please complete the following information):
OS: Ubuntu
OS version: 20.04, 64 bit
Tcpreplay Version: master bcb107a
$ ./bin_normal/bin/tcprewrite -V tcprewrite version: 4.4.3 (build git:v4.4.3) Copyright 2013-2022 by Fred Klassen <tcpreplay at appneta dot com> - AppNeta Copyright 2000-2012 by Aaron Turner <aturner at synfin dot net> The entire Tcpreplay Suite is licensed under the GPLv3 Cache file supported: 04 Not compiled with libdnet. Compiled against libpcap: 1.9.1 64 bit packet counters: enabled Verbose printing via tcpdump: enabled Fragroute engine: disabled