Headline
CVE-2016-6160: Seg Fault on illegal frame size > 65535 · Issue #251 · appneta/tcpreplay
tcprewrite in tcpreplay before 4.1.2 allows remote attackers to cause a denial of service (segmentation fault) via a large frame, a related issue to CVE-2017-14266.
Note that this may already be fixed. Verification required.
Package: tcpreplay
Version: 3.4.4-2
Severity: important
Tags: patch
Dear Maintainer,
as previously discussed in other places: The tcprewrite program
(src:tcpreplay) has a compile-time limit of the maximum frame size of
65535 it can handle. However, incoming frames are not checked against
that limit, and such frames do happen in the wild when capturing on the
With an MTU size of 65536 on the capturing host - default since kernel
3.6-ish and Debian jessie -, and and ethernet header added, a frame size
of 65549 exceeds that limit, sometimes resulting in a segmentation
fault. Reproducer available upon request.
As far as I can see this still exists in the not-yet packaged
tcpreplay-4.1.1.
The patch attached raises the limit and also adds a size check.
Additionally, I've prepared debdiffs for wheezy and jessie to address
this in a point release.
If you want more about that package, you know where to find me.
Christoph
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.4.13 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect