Headline
CVE-2023-27784: [Bug] NULL Pointer Dereference in read_hexstring() at utils.c:309 · Issue #787 · appneta/tcpreplay
An issue found in TCPReplay v.4.4.3 allows a remote attacker to cause a denial of service via the read_hexstring function at the utils.c:309 endpoint.
Describe the bug
There is a NULL Pointer Dereference in read_hexstring() when the user passes empty user dlink string to tcprewrite with option --user-dlink when the program process the pcap file whose data link type is DLT_USER0.
To Reproduce
Steps to reproduce the behavior:
Get the Tcpreplay source code and compile it.
Run Command $ ./tcprewrite --user-dlink="" -i $POC -o /dev/null
The POC file could be downloaded in POC file
Expected behavior
Program crashes with Segmentation fault.
The GDB report is:
$ gdb --args ./bin_normal/bin/tcprewrite --user-dlink="" -i ./poc-tcprewrite-bcb107a-read_hexstring-SEGV -o /dev/null
(gdb) r
Starting program: /home/ubuntu178/cvelibf/test/tcpreplay/latest/bin_normal/bin/tcprewrite --user-dlink= -i ./poc-tcprewrite-bcb107a-read_hexstring-SEGV -o /dev/null
Program received signal SIGSEGV, Segmentation fault.
__rawmemchr_avx2 () at ../sysdeps/x86_64/multiarch/memchr-avx2.S:65
65 ../sysdeps/x86_64/multiarch/memchr-avx2.S: No such file or directory.
(gdb) bt
#0 __rawmemchr_avx2 () at ../sysdeps/x86_64/multiarch/memchr-avx2.S:65
#1 0x00007ffff7dddf36 in _IO_str_init_static_internal (sf=sf@entry=0x7fffffffbe30, ptr=ptr@entry=0x0, size=size@entry=0, pstart=pstart@entry=0x0) at strops.c:41
#2 0x00007ffff7dad4c3 in _IO_strfile_read (string=0x0, sf=0x7fffffffbe30) at ../libio/strfile.h:95
#3 __GI___isoc99_sscanf (s=0x0, format=0x555555576598 "%x") at isoc99_sscanf.c:28
#4 0x000055555556e7cf in read_hexstring (l2string=0x55555557e2a0 "", hex=0x555555581367 "", hexlen=255) at utils.c:309
#5 0x00005555555656ae in dlt_user_parse_opts (ctx=0x555555580890) at plugins/dlt_user/user.c:194
#6 0x000055555556169c in tcpedit_dlt_parse_opts (ctx=0x555555580890) at plugins/dlt_utils.c:39
#7 0x0000555555560ca5 in tcpedit_dlt_post_args (tcpedit=0x55555557ffe0) at plugins/dlt_plugins.c:210
#8 0x000055555555b575 in tcpedit_post_args (tcpedit=0x55555557ffe0) at parse_args.c:252
#9 0x0000555555558c23 in main (argc=0, argv=0x7fffffffc2e8) at tcprewrite.c:89
System (please complete the following information):
OS: Ubuntu
OS version: 20.04, 64 bit
Tcpreplay Version: master bcb107a
$ ./bin_normal/bin/tcprewrite -V tcprewrite version: 4.4.3 (build git:v4.4.3) Copyright 2013-2022 by Fred Klassen <tcpreplay at appneta dot com> - AppNeta Copyright 2000-2012 by Aaron Turner <aturner at synfin dot net> The entire Tcpreplay Suite is licensed under the GPLv3 Cache file supported: 04 Not compiled with libdnet. Compiled against libpcap: 1.9.1 64 bit packet counters: enabled Verbose printing via tcpdump: enabled Fragroute engine: disabled