Submit #623632: tcpreplay tcpliveplay tcpreplay version 6fcbf03 (the newest master in https://github.com/appneta/tcpreplay) Segmentation Faultinfo

Titletcpreplay tcpliveplay tcpreplay version 6fcbf03 (the newest master in https://github.com/appneta/tcpreplay) Segmentation Fault
Description# TCPLIVEPLAY Segmentation Fault Vulnerability in strstr_sse2 Function ## Vulnerability Summary During fuzzing, a critical segmentation fault vulnerability has been discovered in the tcpliveplay utility from the tcpreplay package. The vulnerability occurs in the `__strstr_sse2` function within the GNU libc string processing library, triggered during the processing of malformed configuration files through the `--load-opts` command-line option. This leads to memory access violations and program termination. ## Technical Details - **Vulnerability Type**: Segmentation Fault / Buffer Over-read - **Affected Function**: `__strstr_sse2` - **Source File**: `strstr.c` - **Line Number**: 84:31 - **Signal**: SIGABRT (6) - **Memory Access**: READ at address 0xffffffffffffffe0 ## Vulnerability Mechanism and Root Cause This segmentation fault vulnerability is caused by improper input validation and memory boundary checking in the libopts library's configuration file processing logic. The root issue lies in the `remove_settings` function where string operations are performed on malformed or crafted input data. The vulnerability occurs when: 1. The `--load-opts` parameter specifies a malformed configuration file 2. The `optionProcess` function initiates option file processing in `autoopts.c:367` 3. Control flows to `optionSaveFile` at `save.c:828` for file operations 4. The `open_sv_file` function at `save.c:564` attempts to process the file 5. The `remove_settings` function at `save.c:499` performs string search operations using `strstr` 6. The underlying `__strstr_sse2` implementation encounters invalid memory addresses (0xffffffffffffffe0) This creates a classic buffer over-read condition where the program attempts to access memory outside valid boundaries during string pattern matching operations. The invalid address `0xffffffffffffffe0` indicates an attempt to read from a location near the end of the virtual address space, suggesting pointer arithmetic overflow or corruption. ## AddressSanitizer Report ``` AddressSanitizer:DEADLYSIGNAL ================================================================= ==2336571==ERROR: AddressSanitizer: SEGV on unknown address 0xffffffffffffffe0 (pc 0x7f9d3553c3b7 bp 0x00000000003c sp 0x7ffd6e1de6c8 T0) ==2336571==The signal is caused by a READ memory access. #0 0x7f9d3553c3b7 string/../sysdeps/x86_64/multiarch/strchr-avx2.S:279 #1 0x7f9d35447fff in __strstr_sse2 string/../string/strstr.c:84:31 #2 0x564df13c9d29 in strstr (/workspace/benchmark/tmp/need-ana/fz-tcpliveplay/tcpliveplay+0x83d29) (BuildId: db49b43699a0f31c) #3 0x564df14c04c4 in remove_settings /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/libopts/./save.c:499:30 #4 0x564df14c04c4 in open_sv_file /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/libopts/./save.c:564:13 #5 0x564df14c04c4 in optionSaveFile /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/libopts/./save.c:828:10 #6 0x564df14b32ec in optionProcess /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/libopts/./autoopts.c:367:13 #7 0x564df148a8e8 in main /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcpliveplay.c:150:5 #8 0x7f9d353c8d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #9 0x7f9d353c8e3f in __libc_start_main csu/../csu/libc-start.c:392:3 #10 0x564df13b15a4 in _start (/workspace/benchmark/tmp/need-ana/fz-tcpliveplay/tcpliveplay+0x6b5a4) (BuildId: db49b43699a0f31c) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV string/../sysdeps/x86_64/multiarch/strchr-avx2.S:279 ==2336571==ABORTING Aborted ``` ## Proof of Concept The vulnerability can be triggered by processing the malformed configuration file provided as `POC_tcpliveplay_segmentation_fault_strstr_sse2`. This file contains specific byte sequences that cause the segmentation fault condition during option processing. **POC Download**: [Google Drive Link - POC_tcpliveplay_segmentation_fault_strstr_sse2](https://drive.google.com/file/d/1yjKOHxvL_9xExy4QUb5x43dxci1x59ts/view?usp=sharing) ## Reproduction Steps 1. Compile tcpliveplay with AddressSanitizer enabled 2. Execute: `tcpliveplay --load-opts POC_tcpliveplay_segmentation_fault_strstr_sse2` 3. The program will crash with a segmentation fault error ## Affected Versions tcpreplay version 6fcbf03 (the newest master in https://github.com/appneta/tcpreplay) **Credit** - Xudong Cao (UCAS) - Yuqing Zhang (UCAS, Zhongguancun Laboratory)
Source⚠️ https://github.com/appneta/tcpreplay/issues/957
User
 nipc-cxd (UID 88335)
Submission07/27/2025 09:09 (8 months ago)
Moderation08/08/2025 11:14 (12 days later)
StatusAccepted
VulDB entry319242 [GNU libopts up to 27.6 __strstr_sse2 memory corruption]
Points20

PreviousOverviewNext

Do you know our Splunk app?

Download it now for free!