Submit #630493: tcpreplay tcpreplay version 6fcbf03 (the newest master in https://github.com/appneta/tcpreplay) floating-point exceptioninfo

Titletcpreplay tcpreplay version 6fcbf03 (the newest master in https://github.com/appneta/tcpreplay) floating-point exception
Description# TCPREPLAY Division by Zero Vulnerability in calc_sleep_time Function (PPS Mode Line 1125) ## Vulnerability Summary A critical division by zero vulnerability exists in the tcpreplay utility from the tcpreplay package. The vulnerability occurs in the `calc_sleep_time` function within `send_packets.c` at line 1125, triggered when processing malformed PPS (Packets Per Second) parameters. This leads to a floating-point exception and program termination. ## Technical Details - **Vulnerability Type**: Floating-Point Exception - **Affected Function**: `calc_sleep_time` - **Source File**: `send_packets.c` - **Line Number**: 1125:67 - **Signal**: SIGFPE (08) ## Vulnerability Mechanism and Root Cause This floating-point exception vulnerability is caused by insufficient input validation in the PPS parameter processing logic. The root issue lies in the `calc_sleep_time` function where a division operation is performed without checking if the divisor evaluates to zero. The vulnerability occurs when: 1. The program processes extremely small packet rate values that result in division by zero 2. This affects the packet rate limiting calculations in the calc_sleep_time function 2. The `tcpreplay_replay` function initiates packet replay processing at `tcpreplay_api.c:1201` 3. Control flows to `tcpr_replay_index` at `replay.c:54` for index-based replay 4. The `replay_file` function at `replay.c:178` processes the packet stream 5. The `send_packets` function at `send_packets.c:491` handles timing calculations 6. The `calc_sleep_time` function at `send_packets.c:1125:67` encounters the division by zero condition 7. A floating-point exception (SIGFPE) is raised, causing immediate program termination This creates a classic division by zero condition where the program attempts to perform arithmetic operations with zero divisor during packet rate limiting calculations, resulting in immediate crash with signal 08. ## AddressSanitizer Report ``` Warning: Unsupported physical layer type 0x0304 on lo. Maybe it works, maybe it won't. See tickets #123/318 AddressSanitizer:DEADLYSIGNAL ================================================================= ==2602280==ERROR: AddressSanitizer: FPE on unknown address 0x55e0cd440b4d (pc 0x55e0cd440b4d bp 0x7ffe2a3b90b0 sp 0x7ffe2a3b9000 T0) #0 0x55e0cd440b4d in calc_sleep_time /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/send_packets.c:1125:67 #1 0x55e0cd43da19 in send_packets /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/send_packets.c:491:13 #2 0x55e0cd45275f in replay_file /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/replay.c:178:5 #3 0x55e0cd45275f in tcpr_replay_index /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/replay.c:54:25 #4 0x55e0cd44eb47 in tcpreplay_replay /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcpreplay_api.c:1201:26 #5 0x55e0cd449f0d in main /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcpreplay.c:176:13 #6 0x7f1942acfd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #7 0x7f1942acfe3f in __libc_start_main csu/../csu/libc-start.c:392:3 #8 0x55e0cd360804 in _start (/workspace/benchmark/fuzzdir/fz-tcpreplay/fz-tcpreplay/tcpreplay+0x75804) (BuildId: 08ba4fa8b91e9730) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: FPE /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/send_packets.c:1125:67 in calc_sleep_time ==2602280==ABORTING Aborted (core dumped) ``` ## Proof of Concept The vulnerability can be triggered by processing the malformed packet capture file provided as `POC_tcpreplay_calc_sleep_time_pps_division_by_zero_1125`. This file contains specific packet data that, when combined with the malicious PPS parameter, causes the division by zero condition. **POC Download**: [Google Drive Link - POC_tcpreplay_calc_sleep_time_pps_division_by_zero_1125](https://drive.google.com/file/d/16QQtZvUrMbF-i_1cGt5hNWmkn-YVyBOM/view?usp=sharing) ## Reproduction Steps 1. Compile tcpreplay with AddressSanitizer enabled 2. Execute: `/workspace/benchmark/fuzzdir/fz-tcpreplay/fz-tcpreplay/tcpreplay -p -0.000001 -i lo POC_tcpreplay_calc_sleep_time_pps_division_by_zero_1125` 3. The program will crash with a floating-point exception error ## Affected Versions tcpreplay version 6fcbf03 (the newest master in https://github.com/appneta/tcpreplay) **Credit** - Xudong Cao (UCAS) - Yuqing Zhang (UCAS, Zhongguancun Laboratory)
Source⚠️ https://github.com/appneta/tcpreplay/issues/968
User
 Anonymous User
Submission08/07/2025 21:15 (8 months ago)
Moderation08/29/2025 08:32 (21 days later)
StatusAccepted
VulDB entry321855 [appneta tcpreplay 4.5.1 send_packets.c calc_sleep_time divide by zero]
Points20

PreviousOverviewNext

Might our Artificial Intelligence support you?

Check our Alexa App!