Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap-buffer-overflow (read) in TcpLayer::isDataValid at TcpLayer.h:500 #1130

Closed
bladchan opened this issue Apr 30, 2023 · 1 comment
Closed
Labels

Comments

@bladchan
Copy link
Contributor

Describe the bug
Bad .pcap files which can lead TcpLayer::isDataValid to heap-buffer-overflow (read) issues at TcpLayer.h:500.

Pocs here:

poc_isDataValid.zip

To Reproduce

  1. Build the whole library with ASAN;
  2. Driver program (compile it with ASAN too):
// fuzz.cpp
#include<stdio.h>
#include <Packet.h>
#include <PcapFileDevice.h>

using namespace pcpp;

int
main(int argc, char* argv[])
{
  char *file = argv[1];
  // open a pcap file for reading
  pcpp::PcapFileReaderDevice reader(file);
  if (!reader.open())
  {
    printf("Error opening the pcap file\n");
    return 1;
  }

  // read the first (and only) packet from the file
  pcpp::RawPacket rawPacket;
  if (!reader.getNextPacket(rawPacket))
  {
    printf("Couldn't read the first packet in the file\n");
    return 1;
  }

  while (reader.getNextPacket(rawPacket)) {
      // parse the raw packet into a parsed packet
      pcpp::Packet parsedPacket(&rawPacket);
  }

  // close the file
  reader.close();

  return 0;
}
  1. Run pocs:
$ ./fuzz ./poc_isDataValid

Expected behavior
The code snippet where the issue happened should avoid the out-bounds read operation.

Environment (please complete the following information):

  • System and Version : Ubuntu 20.04.1 + Clang 11
  • commit version: fb3a560

Additional context
ASAN says:

$ ./fuzz ./poc_isDataValid 
=================================================================
==861765==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x608000000117 at pc 0x7f16447f7187 bp 0x7ffd7dd73e00 sp 0x7ffd7dd73df8
READ of size 2 at 0x608000000117 thread T0
    #0 0x7f16447f7186 in pcpp::TcpLayer::isDataValid(unsigned char const*, unsigned long) /home/ubuntu/test_program/PcapPlusPlus/Packet++/header/TcpLayer.h:500:12
    #1 0x7f16447f7186 in pcpp::IPv6Layer::parseNextLayer() /home/ubuntu/test_program/PcapPlusPlus/Packet++/src/IPv6Layer.cpp:227:17
    #2 0x7f164482d6b9 in pcpp::Packet::setRawPacket(pcpp::RawPacket*, bool, unsigned long, pcpp::OsiModelLayer) /home/ubuntu/test_program/PcapPlusPlus/Packet++/src/Packet.cpp:81:13
    #3 0x4ca26b in main /home/ubuntu/test_program/PcapPlusPlus/build/fuzz.cpp:28:20
    #4 0x7f1643f2e082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #5 0x41d41d in _start (/home/ubuntu/test_program/PcapPlusPlus/build/fuzz+0x41d41d)

0x608000000117 is located 9 bytes to the left of 96-byte region [0x608000000120,0x608000000180)
allocated by thread T0 here:
    #0 0x4c712d in operator new(unsigned long) (/home/ubuntu/test_program/PcapPlusPlus/build/fuzz+0x4c712d)
    #1 0x7f1644812edd in pcpp::NflogLayer::parseNextLayer() /home/ubuntu/test_program/PcapPlusPlus/Packet++/src/NflogLayer.cpp:70:26

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/test_program/PcapPlusPlus/Packet++/header/TcpLayer.h:500:12 in pcpp::TcpLayer::isDataValid(unsigned char const*, unsigned long)
Shadow bytes around the buggy address:
  0x0c107fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c107fff8010: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 02 fa
=>0x0c107fff8020: fa fa[fa]fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==861765==ABORTING

BTW, for library's robustness, I report this bug here. Hopes that helps.

@seladb seladb added the fuzzing label Apr 30, 2023
@clementperon
Copy link
Collaborator

clementperon commented May 1, 2023

@jafar75 FYI

seems to crash due to pcpp::NflogLayer::parseNextLayer

EDIT: hmm sorry for double ping seems to be related with #1129

sashashura added a commit to sashashura/PcapPlusPlus that referenced this issue Jul 21, 2023
@seladb seladb closed this as completed in 0725fa1 Aug 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants