| Title | tcpreplay tcpprep tcpreplay version 6fcbf03 (the newest master in https://github.com/appneta/tcpreplay) Heap Buffer Overflow |
|---|
| Description | # TCPPREP Heap Buffer Overflow Vulnerability in mask_cidr6 Function (Include Path Line 89)
## Vulnerability Summary
During fuzzing, a critical heap buffer overflow vulnerability has been discovered in the tcpprep utility from the tcpreplay suite. The vulnerability occurs in the `mask_cidr6` function within `cidr.c` at line 228, triggered through the include option processing path via `parse_xX_str` at line 89. This leads to an out-of-bounds read operation that can cause memory corruption and program crash.
## Technical Details
- **Vulnerability Type**: Heap Buffer Overflow
- **Affected Function**: `mask_cidr6`
- **Source File**: `cidr.c`
- **Line Number**: 228
- **Signal**: SIGABRT (6)
## Vulnerability Mechanism and Root Cause
This heap buffer overflow vulnerability is caused by insufficient bounds checking in the IPv6 CIDR mask processing logic. The root issue lies in the `mask_cidr6` function where the program attempts to read beyond the allocated memory boundaries when processing malformed IPv6 addresses.
The vulnerability occurs when:
1. Memory is allocated via `our_safe_strdup` in `doOptInclude` at line 1435 for a 2-byte string
2. The string is passed through the processing chain: `doOptInclude` → `parse_xX_str` (line 89) → `parse_cidr` → `mask_cidr6`
3. `mask_cidr6` at line 228 attempts to read 1 byte from address 0x602000000032, which is located 0 bytes after the 2-byte allocated region [0x602000000030,0x602000000032)
This creates a classic heap buffer overflow condition where the program reads past the end of a dynamically allocated buffer, potentially accessing uninitialized or attacker-controlled memory.
## AddressSanitizer Report
```
=================================================================
==2174093==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000032 at pc 0x56285b0ec3f1 bp 0x7ffc68917bb0 sp 0x7ffc68917ba8
READ of size 1 at 0x602000000032 thread T0
#0 0x56285b0ec3f0 in mask_cidr6 /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/common/cidr.c:228:9
#1 0x56285b0ec3f0 in parse_cidr /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/common/cidr.c:256:5
#2 0x56285b0f6714 in parse_xX_str /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/common/xX.c:89:14
#3 0x56285b0d62e5 in doOptInclude /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcpprep_opts.c:1438:38
#4 0x56285b114f78 in handle_opt /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/libopts/./autoopts.c:200:9
#5 0x56285b1320e1 in load_opt_line /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/libopts/./load.c:528:9
#6 0x56285b12ca06 in handle_cfg /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/libopts/./configfile.c
#7 0x56285b12ca06 in file_preset /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/libopts/./configfile.c:405:21
#8 0x56285b1376a0 in optionLoadOpt /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/libopts/./configfile.c:1149:5
#9 0x56285b114f78 in handle_opt /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/libopts/./autoopts.c:200:9
#10 0x56285b10e961 in regular_opts /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/libopts/./autoopts.c:264:15
#11 0x56285b10e961 in optionProcess /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/libopts/./autoopts.c:348:11
#12 0x56285b0d776d in main /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcpprep.c:81:5
0x602000000032 is located 0 bytes after 2-byte region [0x602000000030,0x602000000032)
allocated by thread T0 here:
#0 0x56285b09622e in malloc (/workspace/benchmark/tmp/need-ana/fz-tcpprep/tcpprep+0x10722e)
#1 0x56285b0f6ca1 in our_safe_strdup /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/common/utils.c:90:27
#2 0x56285b0d6261 in doOptInclude /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcpprep_opts.c:1435:15
```
## Proof of Concept
The vulnerability can be triggered by processing the malformed configuration file provided as `POC_tcpprep_heap_buffer_overflow_mask_cidr6_include_89`. This file contains specific include rules that cause the heap buffer overflow condition.
**POC Download**: [Google Drive Link - POC_tcpprep_heap_buffer_overflow_mask_cidr6_include_89](https://drive.google.com/file/d/13SQYVIb_YQoRfaJaaLf6iLtMiCRCHlBc/view?usp=sharing)
## Reproduction Steps
1. Compile tcpprep with AddressSanitizer enabled
2. Execute: `tcpprep --load-opts POC_tcpprep_heap_buffer_overflow_mask_cidr6_include_89`
3. The program will crash with a heap-buffer-overflow error
## Affected Versions
tcpreplay version 6fcbf03 (the newest master in https://github.com/appneta/tcpreplay)
**Credit**
- Xudong Cao (UCAS)
- Yuqing Zhang (UCAS, Zhongguancun Laboratory) |
|---|
| Source | ⚠️ https://github.com/appneta/tcpreplay/issues/958 |
|---|
| User | nipc-cxd (UID 88335) |
|---|
| Submission | 07/27/2025 09:10 (11 months ago) |
|---|
| Moderation | 08/14/2025 07:43 (18 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 320080 [tcpreplay 4.5.1 tcpprep cidr.c mask_cidr6 heap-based overflow] |
|---|
| Points | 20 |
|---|