| Title | tcpreplay tcpprep tcpreplay version 6fcbf03 (the newest master in https://github.com/appneta/tcpreplay) Heap Buffer Overflow |
|---|
| Description | # TCPPREP Heap Buffer Overflow Vulnerability in mask_cidr6 Function (Include Path Line 64)
## Vulnerability Summary
During fuzzing, a critical heap buffer overflow vulnerability has been discovered in the tcpprep utility from the tcpreplay suite. The vulnerability occurs in the `mask_cidr6` function within `cidr.c` at line 228, triggered through the include option processing path via `parse_xX_str` at line 64. This leads to an out-of-bounds read operation that can cause memory corruption and program crash.
## Technical Details
- **Vulnerability Type**: Heap Buffer Overflow
- **Affected Function**: `mask_cidr6`
- **Source File**: `cidr.c`
- **Line Number**: 228
- **Signal**: SIGABRT (6)
## Vulnerability Mechanism and Root Cause
This heap buffer overflow vulnerability is caused by insufficient bounds checking in the IPv6 CIDR mask processing logic when handling include rules through a specific parsing path. The root issue lies in the `mask_cidr6` function where the program attempts to read beyond the allocated memory boundaries when processing malformed IPv6 addresses.
The vulnerability occurs when:
1. Memory is allocated via `our_safe_strdup` in `doOptInclude` at line 1435 for a 2-byte string
2. The string is passed through the processing chain: `doOptInclude` → `parse_xX_str` (line 64) → `parse_cidr` → `mask_cidr6`
3. `mask_cidr6` at line 228 attempts to read 1 byte from address 0x602000000032, which is located 0 bytes after the 2-byte allocated region [0x602000000030,0x602000000032)
This vulnerability is distinct from other mask_cidr6 variants due to its specific triggering through parse_xX_str line 64, representing a different code path in the include option processing logic.
## AddressSanitizer Report
```
=================================================================
==2177994==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000032 at pc 0x5624b07783f1 bp 0x7ffc1d79b3b0 sp 0x7ffc1d79b3a8
READ of size 1 at 0x602000000032 thread T0
#0 0x5624b07783f0 in mask_cidr6 /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/common/cidr.c:228:9
#1 0x5624b07783f0 in parse_cidr /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/common/cidr.c:256:5
#2 0x5624b0782757 in parse_xX_str /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/common/xX.c:64:14
#3 0x5624b07622e5 in doOptInclude /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcpprep_opts.c:1438:38
#4 0x5624b07a0f78 in handle_opt /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/libopts/./autoopts.c:200:9
#5 0x5624b07be0e1 in load_opt_line /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/libopts/./load.c:528:9
#6 0x5624b07b8a06 in handle_cfg /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/libopts/./configfile.c
#7 0x5624b07b8a06 in file_preset /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/libopts/./configfile.c:405:21
#8 0x5624b07c36a0 in optionLoadOpt /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/libopts/./configfile.c:1149:5
0x602000000032 is located 0 bytes after 2-byte region [0x602000000030,0x602000000032)
allocated by thread T0 here:
#0 0x5624b072222e in malloc (/workspace/benchmark/tmp/need-ana/fz-tcpprep/tcpprep+0x10722e)
#1 0x5624b0782ca1 in our_safe_strdup /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/common/utils.c:90:27
#2 0x5624b0762261 in doOptInclude /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcpprep_opts.c:1435:15
```
## Proof of Concept
The vulnerability can be triggered by processing the malformed configuration file provided as `POC_tcpprep_heap_buffer_overflow_mask_cidr6_include_64`. This file contains specific include rules that cause the heap buffer overflow condition through the parse_xX_str line 64 path.
**POC Download**: [Google Drive Link - POC_tcpprep_heap_buffer_overflow_mask_cidr6_include_64](https://drive.google.com/file/d/1xunGCY8ieD7BjfU73ko0CE0CByGKLYTI/view?usp=sharing)
## Reproduction Steps
1. Compile tcpprep with AddressSanitizer enabled
2. Execute: `tcpprep --load-opts POC_tcpprep_heap_buffer_overflow_mask_cidr6_include_64`
3. The program will crash with a heap-buffer-overflow error
## Affected Versions
tcpreplay version 6fcbf03 (the newest master in https://github.com/appneta/tcpreplay)
**Credit**
- Xudong Cao (UCAS)
- Yuqing Zhang (UCAS, Zhongguancun Laboratory) |
|---|
| Source | ⚠️ https://github.com/appneta/tcpreplay/issues/961 |
|---|
| User | nipc-cxd (UID 88335) |
|---|
| Submission | 07/27/2025 09:12 (11 months ago) |
|---|
| Moderation | 08/14/2025 07:51 (18 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 320080 [tcpreplay 4.5.1 tcpprep cidr.c mask_cidr6 heap-based overflow] |
|---|
| Points | 0 |
|---|