Headline

CVE-2023-36192: heap-buffer-overflow on capture.c:923:9 · Issue #438 · irontec/sngrep

Sngrep v1.6.0 was discovered to contain a heap buffer overflow via the function capture_ws_check_packet at /src/capture.c.

1 year ago

CVE

Open in Source

#ubuntu #linux #c++#buffer_overflow

Hello, Sngrep developers! We recently ran some fuzz testing on sngrep 1.6.0 and encountered a heap-buffer-overflow bug. The ASAN report is provided below.

==909699==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200001137a at pc 0x00000049b787 bp 0x7fa0664f97f0 sp 0x7fa0664f8fb8
READ of size 4 at 0x60200001137a thread T1
#0 0x49b786 in __asan_memcpy (/home/root/sp/Fuzz/aflpp_fuzz/Sngrep/sngrep/sngrep_1/sngrep+0x49b786)
#1 0x4d5def in capture_ws_check_packet /home/root/sp/Dataset/Sngrep/sngrep-1.6.0/src/capture.c:923:9
#2 0x4d177f in parse_packet /home/root/sp/Dataset/Sngrep/sngrep-1.6.0/src/capture.c:444:9
#3 0x7fa068139466 (/lib/x86_64-linux-gnu/libpcap.so.0.8+0x23466)
#4 0x7fa068127f67 in pcap_loop (/lib/x86_64-linux-gnu/libpcap.so.0.8+0x11f67)
#5 0x4cf5c9 in capture_thread /home/root/sp/Dataset/Sngrep/sngrep-1.6.0/src/capture.c:1042:5
#6 0x7fa0680f9608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
#7 0x7fa067ea4132 in __clone /build/glibc-SzIz7B/glibc-2.31/misc/…/sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x60200001137a is located 6 bytes to the right of 4-byte region [0x602000011370,0x602000011374)
allocated by thread T1 here:
#0 0x49c3cd in __interceptor_malloc (/home/root/sp/Fuzz/aflpp_fuzz/Sngrep/sngrep/sngrep_1/sngrep+0x49c3cd)
#1 0x4dc743 in packet_set_payload /home/root/sp/Dataset/Sngrep/sngrep-1.6.0/src/packet.c:145:27
#2 0x4d4bd5 in capture_packet_reasm_tcp /home/root/sp/Dataset/Sngrep/sngrep-1.6.0/src/capture.c:788:9
#3 0x4d1722 in parse_packet /home/root/sp/Dataset/Sngrep/sngrep-1.6.0/src/capture.c:433:21
#4 0x7fa068139466 (/lib/x86_64-linux-gnu/libpcap.so.0.8+0x23466)

Thread T1 created by T0 here:
#0 0x486a8c in pthread_create (/home/root/sp/Fuzz/aflpp_fuzz/Sngrep/sngrep/sngrep_1/sngrep+0x486a8c)
#1 0x4d712c in capture_launch_thread /home/root/sp/Dataset/Sngrep/sngrep-1.6.0/src/capture.c:1027:13
#2 0x4efb9e in main /home/root/sp/Dataset/Sngrep/sngrep-1.6.0/src/main.c:433:9
#3 0x7fa067da9082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/…/csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/root/sp/Fuzz/aflpp_fuzz/Sngrep/sngrep/sngrep_1/sngrep+0x49b786) in __asan_memcpy
Shadow bytes around the buggy address:
0x0c047fffa210: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd
0x0c047fffa220: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa
0x0c047fffa230: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fa
0x0c047fffa240: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd
0x0c047fffa250: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa
=>0x0c047fffa260: fa fa 00 00 fa fa 00 fa fa fa fd fa fa fa 04[fa]
0x0c047fffa270: fa fa fd fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffa280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffa290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffa2a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffa2b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==909699==ABORTING