Headline
CVE-2021-45386: [Bug] Two reachable assertions in add_tree_ipv4() and add_tree_ipv6() · Issue #687 · appneta/tcpreplay
tcpreplay 4.3.4 has a Reachable Assertion in add_tree_ipv6() at tree.c
Describe the bug
There are two reachable assertions in add_tree_ipv4() (tree.c:538) and add_tree_ipv6() (tree.c:561) when the user uses tcpprep to open a crafted pcap file.
To Reproduce
Steps to reproduce the behavior:
- get the tcpreplay source code (master 0ca82e3) and build it
- run the cmd: $ tcpprep --auto=bridge --pcap=$POC --cachefile=/dev/null
The poc file could be downloaded in here:
POC_add_tree_ipv4
POC_add_tree_ipv6
Expected behavior
Program reports assertion failure and is terminated.
Screenshots
GDB report of POC_add_tree_ipv4
Breakpoint 1, add_tree_ipv4 (ip=327679, data=<optimized out>, len=<optimized out>) at ../../code/src/tree.c:538
538 assert(ip == newnode->u.ip);
(gdb) p ip
$6 = 327679
(gdb) p newnode->u.ip
$7 = 0
(gdb) n
tcpprep: ../../code/src/tree.c:538: add_tree_ipv4: Assertion `ip == newnode->u.ip' failed.
Program received signal SIGABRT, Aborted.
0x00007ffff7801438 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
54 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007ffff7801438 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1 0x00007ffff780303a in __GI_abort () at abort.c:89
#2 0x00007ffff77f9be7 in __assert_fail_base (fmt=<optimized out>, assertion=assertion@entry=0x41a3ba "ip == newnode->u.ip", file=file@entry=0x41a3a4 "../../code/src/tree.c",
line=line@entry=538, function=function@entry=0x41a720 <__PRETTY_FUNCTION__.7785> "add_tree_ipv4") at assert.c:92
#3 0x00007ffff77f9c92 in __GI___assert_fail (assertion=assertion@entry=0x41a3ba "ip == newnode->u.ip", file=file@entry=0x41a3a4 "../../code/src/tree.c", line=line@entry=538,
function=function@entry=0x41a720 <__PRETTY_FUNCTION__.7785> "add_tree_ipv4") at assert.c:101
#4 0x00000000004052db in add_tree_ipv4 (ip=327679, data=<optimized out>, len=<optimized out>) at ../../code/src/tree.c:538
#5 0x0000000000402f64 in process_raw_packets (pcap=0x648c10) at ../../code/src/tcpprep.c:463
#6 main (argc=<optimized out>, argv=<optimized out>) at ../../code/src/tcpprep.c:144
GDB report of POC_add_tree_ipv6
tcpprep: ../../code/src/tree.c:561: add_tree_ipv6: Assertion `ipv6_cmp(addr, &newnode->u.ip6) == 0' failed.
Program received signal SIGABRT, Aborted.
0x00007ffff7801438 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
54 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007ffff7801438 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1 0x00007ffff780303a in __GI_abort () at abort.c:89
#2 0x00007ffff77f9be7 in __assert_fail_base (fmt=<optimized out>, assertion=assertion@entry=0x41a630 "ipv6_cmp(addr, &newnode->u.ip6) == 0", file=file@entry=0x41a3a4 "../../code/src/tree.c",
line=line@entry=561, function=function@entry=0x41a6f0 <__PRETTY_FUNCTION__.7792> "add_tree_ipv6") at assert.c:92
#3 0x00007ffff77f9c92 in __GI___assert_fail (assertion=assertion@entry=0x41a630 "ipv6_cmp(addr, &newnode->u.ip6) == 0", file=file@entry=0x41a3a4 "../../code/src/tree.c", line=line@entry=561,
function=function@entry=0x41a6f0 <__PRETTY_FUNCTION__.7792> "add_tree_ipv6") at assert.c:101
#4 0x0000000000405359 in add_tree_ipv6 (addr=0x7ffff7f81018, data=<optimized out>, len=<optimized out>) at ../../code/src/tree.c:561
#5 0x00000000004031fb in process_raw_packets (pcap=0x648c10) at ../../code/src/tcpprep.c:465
#6 main (argc=<optimized out>, argv=<optimized out>) at ../../code/src/tcpprep.c:144
System (please complete the following information):
- OS: Ubuntu
- OS version: 16.04
- Tcpreplay Version: 4.3.4 (master 0ca82e3)
Related news
Gentoo Linux Security Advisory 202210-08
Gentoo Linux Security Advisory 202210-8 - Multiple vulnerabilities have been discovered in Tcpreplay, the worst of which could result in denial of service. Versions less than 4.4.2 are affected.