Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-25484: [Bug] Reachable assertion in packet2tree() · Issue #715 · appneta/tcpreplay

tcpprep v4.4.1 has a reachable assertion (assert(l2len > 0)) in packet2tree() at tree.c in tcpprep v4.4.1.

CVE
Open in Source
#ubuntu#linux#git

Describe the bug
The assertion assert(l2len > 0); in packet2tree() at tree.c is reachable when the user uses tcpprep to open a crafted pcap file.
The variable l2len is assigned in get_l2len_protocol() at get.c.

res = get_l2len_protocol(data,

pkt_len,

datalink,

&ether_type,

&l2len,

&l2offset,

&vlan_offset);

if (res == -1)

goto len_error;

node = new_tree();

assert(l2len > 0);

However, when the datalink is DLT_RAW or DLT_JUNIPER_ETHER, l2len is assigned with 0, and the assertion is triggered.

*l2len = 0;

*l2offset = 0;

*vlan_offset = 0;

switch (datalink) {

case DLT_RAW:

if (datalen == 0)

return -1;

if ((pktdata[0] >> 4) == 4)

*protocol = ETHERTYPE_IP;

else if ((pktdata[0] >> 4) == 6)

*protocol = ETHERTYPE_IP6;

break;

case DLT_JUNIPER_ETHER:

To Reproduce
Steps to reproduce the behavior:

  1. Get the Tcpreplay source code (master 09f0774) and compile it.
  2. Run command: $ tcpprep --auto=bridge --pcap=$POC --cachefile=/dev/null
    The POC file could be downloaded here:
    POC_file

Expected behavior
Program reports assertion failure and is terminated.

Screenshots
image

The GDB report:

Breakpoint 6, packet2tree (data=0x7ffff7ef8010 "@", len=33, datalink=12) at ../../code/src/tree.c:733
733         res = get_l2len_protocol(data,
(gdb) p datalink 
$8 = 12
(gdb) n
741         if (res == -1)
(gdb) 
744         node = new_tree();
(gdb) 

Breakpoint 1, packet2tree (data=0x7ffff7ef8010 "@", len=33, datalink=<optimized out>) at ../../code/src/tree.c:746
746         assert(l2len > 0);
(gdb) p l2len 
$9 = 0
(gdb) c
Continuing.
tcpprep: ../../code/src/tree.c:746: tcpr_tree_t *packet2tree(const u_char *, const int, int): Assertion `l2len > 0' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff7194438 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
54      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.

System (please complete the following information):

  • OS: Ubuntu
  • OS version: 16.04, 64 bit
  • Tcpreplay Version: 4.4.1 (master 09f0774)

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE