| Title | tcpreplay tcpprep tcpreplay version 6fcbf03 (the newest master in https://github.com/appneta/tcpreplay) Heap Buffer Overflow |
|---|
| Description | # TCPPREP Heap Buffer Overflow Vulnerability in mask_cidr6 Function (Exclude Path Line 57)
## Vulnerability Summary
During fuzzing, a critical heap buffer overflow vulnerability has been discovered in the tcpprep utility from the tcpreplay suite. The vulnerability occurs in the `mask_cidr6` function within `cidr.c` at line 228, triggered through the exclude option processing path via `parse_xX_str` at line 57. This leads to an out-of-bounds read operation that can cause memory corruption and program crash.
## Technical Details
- **Vulnerability Type**: Heap Buffer Overflow
- **Affected Function**: `mask_cidr6`
- **Source File**: `cidr.c`
- **Line Number**: 228
- **Signal**: SIGABRT (6)
## Vulnerability Mechanism and Root Cause
This heap buffer overflow vulnerability is caused by insufficient bounds checking in the IPv6 CIDR mask processing logic when handling exclude rules. The root issue lies in the `mask_cidr6` function where the program attempts to read beyond the allocated memory boundaries when processing malformed IPv6 addresses in exclude patterns.
The vulnerability occurs when:
1. Memory is allocated via `our_safe_strdup` in `doOptExclude` at line 1487 for a 2-byte string
2. The string is passed through the processing chain: `doOptExclude` → `parse_xX_str` (line 57) → `parse_cidr` → `mask_cidr6`
3. `mask_cidr6` at line 228 attempts to read 1 byte from address 0x602000000032, which is located 0 bytes after the 2-byte allocated region [0x602000000030,0x602000000032)
This vulnerability is distinct from include path variants due to its specific triggering through the exclude option processing logic and different call chain characteristics.
## AddressSanitizer Report
```
=================================================================
==2177922==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000032 at pc 0x55843d4b23f1 bp 0x7ffef9acb930 sp 0x7ffef9acb928
READ of size 1 at 0x602000000032 thread T0
#0 0x55843d4b23f0 in mask_cidr6 /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/common/cidr.c:228:9
#1 0x55843d4b23f0 in parse_cidr /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/common/cidr.c:256:5
#2 0x55843d4bc6d1 in parse_xX_str /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/common/xX.c:57:14
#3 0x55843d49c675 in doOptExclude /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcpprep_opts.c:1490:38
#4 0x55843d4daf78 in handle_opt /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/libopts/./autoopts.c:200:9
#5 0x55843d4f80e1 in load_opt_line /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/libopts/./load.c:528:9
#6 0x55843d4f2a06 in handle_cfg /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/libopts/./configfile.c
#7 0x55843d4f2a06 in file_preset /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/libopts/./configfile.c:405:21
#8 0x55843d4fd6a0 in optionLoadOpt /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/libopts/./configfile.c:1149:5
0x602000000032 is located 0 bytes after 2-byte region [0x602000000030,0x602000000032)
allocated by thread T0 here:
#0 0x55843d45c22e in malloc (/workspace/benchmark/tmp/need-ana/fz-tcpprep/tcpprep+0x10722e)
#1 0x55843d4bcca1 in our_safe_strdup /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/common/utils.c:90:27
#2 0x55843d49c5f1 in doOptExclude /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcpprep_opts.c:1487:15
```
## Proof of Concept
The vulnerability can be triggered by processing the malformed configuration file provided as `POC_tcpprep_heap_buffer_overflow_mask_cidr6_exclude_57`. This file contains specific exclude rules that cause the heap buffer overflow condition.
**POC Download**: [Google Drive Link - POC_tcpprep_heap_buffer_overflow_mask_cidr6_exclude_57](https://drive.google.com/file/d/1eKn-_-TCpW8RlonUJ0DeOfYSKekkiyC8/view?usp=sharing)
## Reproduction Steps
1. Compile tcpprep with AddressSanitizer enabled
2. Execute: `tcpprep --load-opts POC_tcpprep_heap_buffer_overflow_mask_cidr6_exclude_57`
3. The program will crash with a heap-buffer-overflow error
## Affected Versions
tcpreplay version 6fcbf03 (the newest master in https://github.com/appneta/tcpreplay)
**Credit**
- Xudong Cao (UCAS)
- Yuqing Zhang (UCAS, Zhongguancun Laboratory) |
|---|
| Source | ⚠️ https://github.com/appneta/tcpreplay/issues/960 |
|---|
| User | nipc-cxd (UID 88335) |
|---|
| Submission | 07/27/2025 09:12 (11 months ago) |
|---|
| Moderation | 08/14/2025 07:51 (18 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 320080 [tcpreplay 4.5.1 tcpprep cidr.c mask_cidr6 heap-based overflow] |
|---|
| Points | 0 |
|---|