Fuzzing PcapPlusPlus about packet file analyzing

[Hyeong-Uk]

I'm a student of Seoul National University(Korea), and I tried to fuzz this library(only for file analyzing, not for analyzing live communication) for exercise.. I think I found heap overflow and few different minor weak points... Please check it and report some details to me.

I used PcapPlusPlus v23.09 on Linux(Ubuntu 20.04LTS 64bit) and AFL fuzzer 2.57b.
Test code: test1.txt
There are Initial test pcap file and crashed test file but can't upload because github issue doesn't support .pcap uploading...
If you want inputs, contact me with kohowo1999@snu.ac.kr or kohowo2000@gmail.com(recommended) .

Crashes: crash.log
The crash id of heap buffer overflow is 42.

[seladb]

Thank you @Hyeong-Uk for reporting this issue!

Maybe you can upload the pcap file with a different extension (i.e .txt)?

Also - would you consider providing a fix to this issue?

[Hyeong-Uk]

@seladb Here are pcap files:
Initial pcap input(afl fuzzing): datafin3.txt
Crashed pcap input: id:000042,sig:11,src:000000,op:flip2,pos:57.txt

+Sorry for (can)not providing a fix
+Would you report me about results? I'm curious whether it is really a weak point or not.

Thank you.

[seladb]

Thank you @Hyeong-Uk ! We'll comment on this ticket once we have a fix

cc @sashashura

[sashashura]

@Hyeong-Uk Could you provide your harness?

[tigercosmos]

@Hyeong-Uk is this still an issue? or I will close the ticket.

[Hyeong-Uk]

@sashashura I'm very sorry for seeing your comment now. I'm just a novice for this field, so I don't understand what does 'provide harness' mean. Does it mean 'provide my execution environment'?
@tigercosmos Could you delay closing a little bit? Or if you.. judge that this issue is meaningless, you can close the ticket, of course.

[sashashura]

Hi @Heysunk, harness is the code you used to trigger the crash. I must apologize, I didn't notice the test1.txt first. This is what I meant. We have a backlog of security issues to fix, but it seems the item 42 with this stack is not in the list of already known issues:

==1942299==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000000b19 at pc 0x0000004c0dda bp 0x7ffecbca39f0 sp 0x7ffecbca31b8
READ of size 256 at 0x611000000b19 thread T0
    #0 0x4c0dd9 in __asan_memcpy (/home/hyeonguk/SNU4_2/opensrc/PcapPlusPlus/examples_bin/test1+0x4c0dd9)
    #1 0x6820ce in pcpp::PayloadLayer::PayloadLayer(unsigned char const*, unsigned long, bool) /home/hyeonguk/SNU4_2/opensrc/PcapPlusPlus/Packet++/src/PayloadLayer.cpp:14:2
    #2 0x51a39b in splitIPPacketToFragmentsBySize(pcpp::RawPacket*, unsigned long, pcpp::PointerVector<pcpp::RawPacket>&) /home/hyeonguk/SNU4_2/opensrc/PcapPlusPlus/Examples/test1/test1.cpp:891:22
    #3 0x51b9a6 in processPacketsIPF(pcpp::IFileReaderDevice*, pcpp::IFileWriterDevice*, int, bool, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool, std::map<unsigned short, bool, std::less<unsigned short>, std::allocator<std::pair<unsigned short const, bool> > >, bool, FragStats&) /home/hyeonguk/SNU4_2/opensrc/PcapPlusPlus/Examples/test1/test1.cpp:993:4
    #4 0x545eda in main /home/hyeonguk/SNU4_2/opensrc/PcapPlusPlus/Examples/test1/test1.cpp:2353:2
    #5 0x7fd362bae082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #6 0x44924d in _start (/home/hyeonguk/SNU4_2/opensrc/PcapPlusPlus/examples_bin/test1+0x44924d)

Could you please send the initial pcap and the test file that triggers the crash to my email (listed in my profile)?

[Hyeong-Uk]

@sashashura Hello, I has been busy for preparing graduate school in SNU(Seoul National University(Korea)), and fortunately my acceptance to graduate school was decided. And now that I have some free time, I'm going to focus on this work. I sent those files to your email, so if you are still interested in this issue, please check and report me whether it is really a weak point or not(and if it is real weak point, then how crash occured in detail.). Thank you very much.

[tigercosmos]

@Hyeong-Uk I think you can put the files here for more people to review. (simply click the "Paste, drop, or click to add files" button)

[Hyeong-Uk]

@tigercosmos Thank you for your comment. ^^ However, all the basic files are here(above), for example: test code(test1.txt), crash log(crash.log), fuzzed initial pcap file(datafin3.txt), etc.(and also, environment information.). Though, anyone who are interested in this issue can request me for additional files or information - then I will send them to your email.

• For here, please understand me putting .txt files <- because I can't upload original files due to github policy.

[sashashura]

Hi @Hyeong-Uk, we fully understand the reason for changing file extensions. This is very common practice.

It seems there was confusion from my side which file is which, so I'll just iterate to be sure we have all we need:

• The program that opens the input files and calls PPP API (the harness): https://github.com/seladb/PcapPlusPlus/files/13668175/test1.txt
• The input file that triggers the crash (reproducer): https://github.com/seladb/PcapPlusPlus/files/13673495/id.000042.sig.11.src.000000.op.flip2.pos.57.txt

Optional files that are not strictly needed to reproduce the crash:

• Logs: https://github.com/seladb/PcapPlusPlus/files/13668215/crash.log
• Initial seed file: https://github.com/seladb/PcapPlusPlus/files/13673466/datafin3.txt

I'll look into it when time permits.

[Hyeong-Uk]

@sashashura Thanks for your comment, that's all true. I'll look forward to your report. Thanks.

[tigercosmos]

@sashashura Is there any update?

[egecetin]

Are we sure that this issue really caused by the library itself? I checked the code of PayloadLayer constructor, but the constructor only copies the provided data (using pointer + length). So, the only reason for overflow should be either wrong/misaligned pointer or length. And the code (test1.txt Line 891) directly calls this constructor so there is no internal call from other layer. Fuzzer code calls it with this pointer and length directly. Am i missing something @sashashura @seladb @tigercosmos? What do you think?

[sashashura]

I agree, the issue in case 42 is that the size of m_Data of ipLayer is 11, but curFragSize == 256 is passed to the pcpp::PayloadLayer constructor.
However, the code is copy/paste from Examples/IPFragUtil, so it raises a question should we fix the example.

[seladb]

In that case we can fix the example 👍