Headline
CVE-2022-37047: [Bug] heap-overflow in get.c:713 · Issue #734 · appneta/tcpreplay
The component tcprewrite in Tcpreplay v4.4.1 was discovered to contain a heap-based buffer overflow in get_ipv6_next at common/get.c:713. NOTE: this is different from CVE-2022-27940.
You are opening a bug report against the Tcpreplay project: we use
GitHub Issues for tracking bug reports and feature requests.
If you have a question about how to use Tcpreplay, you are at the wrong
site. You can ask a question on the tcpreplay-users mailing list
or on Stack Overflow with [tcpreplay] tag.
General help is available here.
If you have a build issue, consider downloading the latest release
Otherwise, to report a bug, please fill out the reproduction steps
(below) and delete these introductory paragraphs. Thanks!
Describe the bug
There is a heap-overflow bug in get_ipv6_next. Different from #718 (The crash point is in line 679, ((int)((u_char )exthdr + len))), this bug is triggered in line 713 (((int*)((u_char *)exthdr + len)) > maxlen).
To Reproduce
Steps to reproduce the behavior:
- export CC=clang && export CFLAGS="-fsanitize=address -g"
- ./autogen.sh && ./configure --disable-shared --disable-local-libopts && make clean && make -j8
- ./src/tcprewrite -o /dev/null -i POC
Expected behavior
A clear and concise description of what you expected to happen.
The program does not crash.
Screenshots
System (please complete the following information):
- OS: Debian
- OS version: buster
- Tcpreplay Version: 09f0774
Additional context
POC
poc.zip
Related news
Gentoo Linux Security Advisory 202210-8 - Multiple vulnerabilities have been discovered in Tcpreplay, the worst of which could result in denial of service. Versions less than 4.4.2 are affected.