Submit #630496: tcpreplay tcprewrite tcpreplay version 6fcbf03 (the newest master in https://github.com/appneta/tcpreplay) Null Pointer Dereferenceinfo

Titletcpreplay tcprewrite tcpreplay version 6fcbf03 (the newest master in https://github.com/appneta/tcpreplay) Null Pointer Dereference
Description# TCPREWRITE Null Pointer Dereference Vulnerability in Port Mapping Parameter Parsing ## Summary A critical null pointer dereference vulnerability exists in the tcprewrite utility from the tcpreplay package. The vulnerability occurs in the port mapping parameter parsing logic within the `parse_portmap` function, specifically when processing malformed port mapping arguments. This leads to a segmentation fault when the `strtol` function attempts to process a null pointer, causing immediate program termination. ## Technical Details - **Vulnerability Type**: Null Pointer Dereference - **Affected Function**: `parse_portmap` → `ports2PORT` → `strtol` - **Source Files**: `portmap.c:112`, `strtol_l.c:291` - **Signal**: SIGSEGV (11) - **Root Cause Location**: `portmap.c:112:23` ## Vulnerability Mechanism and Root Cause This null pointer dereference vulnerability is caused by insufficient input validation in the port mapping argument parsing pipeline. The vulnerability occurs when the `--portmap` option receives malformed parameters that result in a null pointer being passed to string-to-integer conversion functions. The vulnerability sequence occurs as follows: 1. The `main` function calls `tcpedit_post_args` to validate command-line arguments at `tcprewrite.c:84` 2. Control flows to `parse_portmap` function at `parse_args.c:188` for port mapping validation 3. The `parse_portmap` function calls `ports2PORT` at `portmap.c:191` to process port specifications 4. Within `ports2PORT`, the code attempts to call `strtol` at `portmap.c:112:23` with an unvalidated pointer 5. The `strtol` function receives a null pointer and attempts to dereference it at `strtol_l.c:291:10` 6. This triggers a segmentation fault (SIGSEGV) causing immediate program termination This represents a classic null pointer dereference where the program fails to validate input parameters before passing them to standard library functions that expect valid string pointers. ## AddressSanitizer Report ``` AddressSanitizer:DEADLYSIGNAL ================================================================= ==399359==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7ff2edfd0580 bp 0x7fff00b07730 sp 0x7fff00b075e0 T0) ==399359==The signal is caused by a read memory access. ==399359==Hint: address points to the zero page. #0 0x7ff2edfd0580 in __GI_____strtol_l_internal stdlib/../stdlib/strtol_l.c:291:10 #1 0x557d7b25f223 in strtol (/workspace/benchmark/fuzzdir/fz-tcpreplay/fz-tcprewrite/tcprewrite+0x10a223) (BuildId: 557d83638ad04334) #2 0x557d7b2d6872 in ports2PORT /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcpedit/portmap.c:112:23 #3 0x557d7b2d5e66 in parse_portmap /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcpedit/portmap.c:191:39 #4 0x557d7b2c63eb in tcpedit_post_args /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcpedit/parse_args.c:188:22 #5 0x557d7b2b4e06 in main /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcprewrite.c:84:13 #6 0x7ff2edfb2d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #7 0x7ff2edfb2e3f in __libc_start_main csu/../csu/libc-start.c:392:3 #8 0x557d7b1da9e4 in _start (/workspace/benchmark/fuzzdir/fz-tcpreplay/fz-tcprewrite/tcprewrite+0x859e4) (BuildId: 557d83638ad04334) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV stdlib/../stdlib/strtol_l.c:291:10 in __GI_____strtol_l_internal ==399359==ABORTING Aborted (core dumped) ``` ## Proof of Concept The vulnerability can be triggered by processing the malformed packet capture file provided as `POC_tcprewrite_null_pointer_dereference_portmap_parsing`. This file contains specific packet structures that, when combined with malformed port mapping parameters, causes the null pointer dereference condition in the argument parsing logic. **POC File**: [POC_tcprewrite_null_pointer_dereference_portmap_parsing](https://drive.google.com/file/d/1oVmsER6CXULLz_rnIyL410DJqO_hBtw_/view?usp=sharing) ## Reproduction Steps 1. Compile tcprewrite with AddressSanitizer enabled 2. Execute: `tcprewrite --portmap -43:4443 -i POC_tcprewrite_null_pointer_dereference_portmap_parsing -o /dev/null` 3. The program will crash with a null pointer dereference error ## Affected Versions tcpreplay version 6fcbf03 (the newest master in https://github.com/appneta/tcpreplay) **Credit** - Xudong Cao (UCAS) - Yuqing Zhang (UCAS, Zhongguancun Laboratory)
Source⚠️ https://github.com/appneta/tcpreplay/issues/971
User
 HeureuxBuilding (UID 88810)
Submission08/07/2025 21:22 (8 months ago)
Moderation08/23/2025 17:03 (16 days later)
StatusAccepted
VulDB entry321217 [appneta tcpreplay up to 4.5.1 parse_args.c tcpedit_post_args null pointer dereference]
Points20

PreviousOverviewNext

Do you know our Splunk app?

Download it now for free!