Headline
CVE-2023-27787: [Bug] NULL Pointer Dereference in parse_list() at list.c:81 · Issue #788 · appneta/tcpreplay
An issue found in TCPprep v.4.4.3 allows a remote attacker to cause a denial of service via the parse_list function at the list.c:81 endpoint.
Describe the bug
There is a NULL Pointer Dereference in parse_list() when the user passes specific size (i.e., 2) of include string to tcpprep with option --include.
To Reproduce
Steps to reproduce the behavior:
Get the Tcpreplay source code and compile it.
Run Command $ ./tcpprep --include="P "
Expected behavior
Program crashes with Segmentation fault.
$ gdb --args ./bin_normal/bin/tcpprep --include="P "
(gdb) r
Starting program: /home/ubuntu178/cvelibf/test/tcpreplay/latest/bin_normal/bin/tcpprep --include=P\
Program received signal SIGSEGV, Segmentation fault.
__strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65
65 ../sysdeps/x86_64/multiarch/strlen-avx2.S: No such file or directory.
(gdb) bt
#0 __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65
#1 0x00007ffff7e4982b in __GI___regexec (preg=0x7fffffffd650, string=0x0, nmatch=0, pmatch=0x0, eflags=0) at regexec.c:210
#2 0x000055555555ed19 in parse_list (listdata=0x55555556db38, ourstr=0x55555558dbf2 "") at list.c:81
#3 0x00005555555614a7 in parse_xX_str (xX=0x55555556db30, str=0x55555558dbf2 "", bpf=0x55555556db50) at xX.c:84
#4 0x00005555555581fc in doOptInclude (pOptions=0x55555556bc00 <tcpprepOptions>, pOptDesc=0x55555556b3c8 <optDesc+936>) at tcpprep_opts.c:1411
#5 0x00007ffff7f4011e in ?? () from /lib/x86_64-linux-gnu/libopts.so.25
#6 0x00007ffff7f48964 in ?? () from /lib/x86_64-linux-gnu/libopts.so.25
#7 0x00007ffff7f4b7c8 in optionProcess () from /lib/x86_64-linux-gnu/libopts.so.25
#8 0x000055555555899c in main (argc=2, argv=0x7fffffffde88) at tcpprep.c:89
System (please complete the following information):
OS: Ubuntu
OS version: 20.04, 64 bit
Tcpreplay Version: master bcb107a
$ ./bin_normal/bin/tcprewrite -V tcprewrite version: 4.4.3 (build git:v4.4.3) Copyright 2013-2022 by Fred Klassen <tcpreplay at appneta dot com> - AppNeta Copyright 2000-2012 by Aaron Turner <aturner at synfin dot net> The entire Tcpreplay Suite is licensed under the GPLv3 Cache file supported: 04 Not compiled with libdnet. Compiled against libpcap: 1.9.1 64 bit packet counters: enabled Verbose printing via tcpdump: enabled Fragroute engine: disabled