Submit #630494: tcpreplay tcpreplay version 6fcbf03 (the newest master in https://github.com/appneta/tcpreplay) floating-point exceptioninfo

Titletcpreplay tcpreplay version 6fcbf03 (the newest master in https://github.com/appneta/tcpreplay) floating-point exception
Description# TCPREPLAY Division by Zero Vulnerability in calc_sleep_time Function (MBPS Mode Line 1091) ## Summary A critical division by zero vulnerability exists in the tcpreplay utility from the tcpreplay package. The vulnerability occurs in the `calc_sleep_time` function within `send_packets.c` at line 1091, triggered when processing malformed MBPS (Megabits Per Second) parameters. This leads to a floating-point exception and program termination. ## Technical Details - **Vulnerability Type**: Floating-Point Exception - **Affected Function**: `calc_sleep_time` - **Source File**: `send_packets.c` - **Line Number**: 1091:55 - **Signal**: SIGFPE (08) ## Vulnerability Mechanism and Root Cause This floating-point exception vulnerability is caused by insufficient input validation in the MBPS parameter processing logic. The root issue lies in the `calc_sleep_time` function where a division operation is performed without checking if the divisor evaluates to zero. The vulnerability occurs when: 1. The program processes extremely small bandwidth rate values that result in division by zero 2. This affects the bandwidth rate limiting calculations in the calc_sleep_time function 2. The `tcpreplay_replay` function initiates packet replay processing at `tcpreplay_api.c:1201` 3. Control flows to `tcpr_replay_index` at `replay.c:54` for index-based replay 4. The `replay_file` function at `replay.c:178` processes the packet stream 5. The `send_packets` function at `send_packets.c:491` handles timing calculations 6. The `calc_sleep_time` function at `send_packets.c:1091:55` encounters the division by zero condition 7. A floating-point exception (SIGFPE) is raised, causing immediate program termination This creates a classic division by zero condition where the program attempts to perform arithmetic operations with zero divisor during bandwidth rate limiting calculations, resulting in immediate crash with signal 08. ## AddressSanitizer Report ``` Warning: Unsupported physical layer type 0x0304 on lo. Maybe it works, maybe it won't. See tickets #123/318 AddressSanitizer:DEADLYSIGNAL ================================================================= ==2602320==ERROR: AddressSanitizer: FPE on unknown address 0x55c851902fae (pc 0x55c851902fae bp 0x7ffe16d32830 sp 0x7ffe16d32780 T0) #0 0x55c851902fae in calc_sleep_time /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/send_packets.c:1091:55 #1 0x55c8518ffa19 in send_packets /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/send_packets.c:491:13 #2 0x55c85191475f in replay_file /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/replay.c:178:5 #3 0x55c85191475f in tcpr_replay_index /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/replay.c:54:25 #4 0x55c851910b47 in tcpreplay_replay /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcpreplay_api.c:1201:26 #5 0x55c85190bf0d in main /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcpreplay.c:176:13 #6 0x7f95dc255d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #7 0x7f95dc255e3f in __libc_start_main csu/../csu/libc-start.c:392:3 #8 0x55c851822804 in _start (/workspace/benchmark/fuzzdir/fz-tcpreplay/fz-tcpreplay/tcpreplay+0x75804) (BuildId: 08ba4fa8b91e9730) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: FPE /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/send_packets.c:1091:55 in calc_sleep_time ==2602320==ABORTING Aborted (core dumped) ``` ## Proof of Concept The vulnerability can be triggered by processing the malformed packet capture file provided as `POC_tcpreplay_calc_sleep_time_mbps_division_by_zero_1091`. This file contains specific packet data that, when combined with the malicious MBPS parameter, causes the division by zero condition. **POC Download**: [Google Drive Link - POC_tcpreplay_calc_sleep_time_mbps_division_by_zero_1091](https://drive.google.com/file/d/1BajtFQpDZdCQzbi5Pqsk3t85T1Vyi6Bq/view?usp=sharing) ## Reproduction Steps 1. Compile tcpreplay with AddressSanitizer enabled 2. Execute: `/workspace/benchmark/fuzzdir/fz-tcpreplay/fz-tcpreplay/tcpreplay -M 0.000001 -i lo POC_tcpreplay_calc_sleep_time_mbps_division_by_zero_1091` 3. The program will crash with a floating-point exception error ## Affected Versions tcpreplay version 6fcbf03 (the newest master in https://github.com/appneta/tcpreplay) **Credit** - Xudong Cao (UCAS) - Yuqing Zhang (UCAS, Zhongguancun Laboratory)
Source⚠️ https://github.com/appneta/tcpreplay/issues/969
User
 Anonymous User
Submission08/07/2025 21:16 (8 months ago)
Moderation08/29/2025 08:33 (21 days later)
StatusDuplicate
VulDB entry321855 [appneta tcpreplay 4.5.1 send_packets.c calc_sleep_time divide by zero]
Points0

PreviousOverviewNext

Want to stay up to date on a daily basis?

Enable the mail alert feature now!