tcpreplay) Use-After-Freeinfo

Title	tcpreplay tcprewrite tcpreplay version 6fcbf03 (the newest master in https://github.com/appneta/tcpreplay) Use-After-Free
Description	# TCPREWRITE IPv4 Checksums Use-After-Free Vulnerability in fix_ipv4_checksums Function ## Summary A critical use-after-free vulnerability exists in the tcprewrite utility from the tcpreplay package. The vulnerability occurs in the `fix_ipv4_checksums` function within `edit_packet.c` at line 69, triggered when processing packet data after memory reallocation. This specific vulnerability affects IPv4 packet checksum calculation and leads to heap use-after-free memory access, causing program termination with SIGABRT. ## Technical Details - Vulnerability Type: Heap Use-After-Free - Affected Function: `fix_ipv4_checksums` - Source File: `edit_packet.c` - Line Number: 69:17 - Signal: SIGABRT (06) ## Vulnerability Mechanism and Root Cause This use-after-free vulnerability is specific to IPv4 checksum calculation during packet editing operations. The vulnerability occurs when the `fix_ipv4_checksums` function attempts to access packet memory that has been reallocated by the `untrunc_packet` function, but the function continues to use the original, now-freed memory pointer. The vulnerability sequence occurs as follows: 1. The `tcpedit_packet` function initiates packet editing at `tcpedit.c:339` 2. During packet processing, `untrunc_packet` is called at `edit_packet.c:562`, which uses `realloc` to resize the packet buffer 3. The `realloc` operation moves the packet data to a new memory location and frees the original buffer 4. The `fix_ipv4_checksums` function at `edit_packet.c:69:17` continues to use the old pointer to access IPv4 header data 5. This results in a READ operation on freed memory, triggering AddressSanitizer detection 6. The program terminates with heap use-after-free error This vulnerability specifically affects IPv4 packet processing where checksum recalculation is required during packet modification operations. ## AddressSanitizer Report ``` ================================================================= ==398647==ERROR: AddressSanitizer: heap-use-after-free on address 0x7fb30afb080e at pc 0x558304353d9f bp 0x7ffda9e877d0 sp 0x7ffda9e877c8 READ of size 1 at 0x7fb30afb080e thread T0 #0 0x558304353d9e in fix_ipv4_checksums /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcpedit/edit_packet.c:69:17 #1 0x558304353d9e in tcpedit_packet /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcpedit/tcpedit.c:339:22 #2 0x5583043478d5 in rewrite_packets /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcprewrite.c:296:22 #3 0x5583043461ce in main /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcprewrite.c:137:9 #4 0x7fb30b9c3d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #5 0x7fb30b9c3e3f in __libc_start_main csu/../csu/libc-start.c:392:3 #6 0x55830426b9e4 in _start (/workspace/benchmark/fuzzdir/fz-tcpreplay/fz-tcprewrite/tcprewrite+0x859e4) (BuildId: 557d83638ad04334) 0x7fb30afb080e is located 14 bytes inside of 262166-byte region [0x7fb30afb0800,0x7fb30aff0816) freed by thread T0 here: #0 0x558304305c35 in realloc (/workspace/benchmark/fuzzdir/fz-tcpreplay/fz-tcprewrite/tcprewrite+0x11fc35) (BuildId: 557d83638ad04334) #1 0x55830434d579 in our_safe_realloc /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/common/utils.c:66:16 #2 0x55830434d579 in untrunc_packet /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcpedit/edit_packet.c:562:22 #3 0x55830434d579 in tcpedit_packet /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcpedit/tcpedit.c:262:23 #4 0x5583043478d5 in rewrite_packets /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcprewrite.c:296:22 #5 0x5583043461ce in main /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcprewrite.c:137:9 #6 0x7fb30b9c3d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 previously allocated by thread T0 here: #0 0x55830430580e in malloc (/workspace/benchmark/fuzzdir/fz-tcpreplay/fz-tcprewrite/tcprewrite+0x11f80e) (BuildId: 557d83638ad04334) #1 0x55830434754f in our_safe_malloc /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/common/utils.c:42:16 #2 0x55830434754f in rewrite_packets /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcprewrite.c:259:34 #3 0x5583043461ce in main /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcprewrite.c:137:9 #4 0x7fb30b9c3d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 SUMMARY: AddressSanitizer: heap-use-after-free /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcpedit/edit_packet.c:69:17 in fix_ipv4_checksums ==398647==ABORTING Aborted (core dumped) ``` ## Proof of Concept The vulnerability can be triggered by processing the malformed packet capture file provided as `POC_tcprewrite_ipv4_checksums_use_after_free_69`. This file contains specific packet structures that trigger the IPv4 checksum recalculation path after memory reallocation, leading to the use-after-free condition. POC File: [POC_tcprewrite_ipv4_checksums_use_after_free_69](https://drive.google.com/file/d/1_aONM_TOF96JbnYviPyZhVk-7HObtX8H/view?usp=sharing) ## Reproduction Steps 1. Compile tcprewrite with AddressSanitizer enabled 2. Execute: `tcprewrite --fixlen pad -i POC_tcprewrite_ipv4_checksums_use_after_free_69 -o /dev/null` 3. The program will crash with a heap use-after-free error in the IPv4 checksum function ## Affected Versions tcpreplay version 6fcbf03 (the newest master in https://github.com/appneta/tcpreplay) Credit - Xudong Cao (UCAS) - Yuqing Zhang (UCAS, Zhongguancun Laboratory)
Source	⚠️ https://github.com/appneta/tcpreplay/issues/970
User	HeureuxBuilding (UID 88810)
Submission	08/07/2025 21:21 (8 months ago)
Moderation	08/19/2025 11:26 (12 days later)
Status	Accepted
VulDB entry	320537 [appneta tcpreplay up to 4.5.2-beta2 tcprewrite edit_packet.c untrunc_packet use after free]
Points	20

◂ Previous Overview Next ▸

Interested in the pricing of exploits?

See the underground prices here!