Closed
Description
Hi.
I found heap-buffer-overflow testcase.
Memory corruption occur in the ASan environment or Valgrind.
PoC Download: PoC
Please confirm.
tcpreplay version: 4.2.6 (build git:v4.2.6-4-g54da347)
OS: Ubuntu 16.04.2 32bit
Command: ./tcpprep --auto=bridge --pcap=$FILE --cachefile=/dev/null
Thanks.
ASan Log
=================================================================
==21151==ERROR: AddressSanitizer: unknown-crash on address 0xb4c00bbe at pc 0x08055d50 bp 0xbff1b318 sp 0xbff1b308
READ of size 20 at 0xb4c00bbe thread T0
#0 0x8055d4f in packet2tree /home/karas/gwanyeong/tcpreplay/src/tree.c:717
#1 0x8055094 in add_tree_ipv4 /home/karas/gwanyeong/tcpreplay/src/tree.c:524
#2 0x804e13d in process_raw_packets /home/karas/gwanyeong/tcpreplay/src/tcpprep.c:459
#3 0x804ca97 in main /home/karas/gwanyeong/tcpreplay/src/tcpprep.c:146
#4 0xb6f8a636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
#5 0x8049890 (/home/karas/gwanyeong/tcpreplay/src/tcpprep+0x8049890)
0xb4c00bd0 is located 0 bytes to the right of 32-byte region [0xb4c00bb0,0xb4c00bd0)
allocated by thread T0 here:
#0 0xb7227144 in __interceptor_realloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x97144)
#1 0xb7166fad in grow_buffer sf-pcap.c:422
SUMMARY: AddressSanitizer: unknown-crash /home/karas/gwanyeong/tcpreplay/src/tree.c:717 packet2tree
Shadow bytes around the buggy address:
0x36980120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36980130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36980140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36980150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36980160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x36980170: fa fa fa fa fa fa 00[00]00 00 fa fa fd fd fd fd
0x36980180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36980190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x369801a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x369801b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x369801c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==21151==ABORTING