Submit #630497: tcpreplay tcprewrite tcpreplay version 6fcbf03 (the newest master in https://github.com/appneta/tcpreplay) Use-After-Freeinfo

Titletcpreplay tcprewrite tcpreplay version 6fcbf03 (the newest master in https://github.com/appneta/tcpreplay) Use-After-Free
Description# TCPREWRITE IPv6 Checksums Use-After-Free Vulnerability in fix_ipv6_checksums Function ## Summary A critical use-after-free vulnerability exists in the tcprewrite utility from the tcpreplay package. The vulnerability occurs in the `fix_ipv6_checksums` function within `edit_packet.c` at line 155, triggered when processing IPv6 packet data after memory reallocation. This vulnerability affects IPv6 packet checksum recalculation and leads to heap use-after-free memory access, causing program termination with SIGABRT. ## Technical Details - **Vulnerability Type**: Heap Use-After-Free - **Affected Function**: `fix_ipv6_checksums` - **Source File**: `edit_packet.c` - **Line Number**: 155:17 - **Signal**: SIGABRT (06) ## Vulnerability Mechanism and Root Cause This use-after-free vulnerability is specific to IPv6 checksum calculation during packet editing operations. The vulnerability occurs when the `fix_ipv6_checksums` function attempts to access packet memory that has been reallocated by the `untrunc_packet` function, but the function continues to use the original, now-freed memory pointer for IPv6 header processing. The vulnerability sequence occurs as follows: 1. The `tcpedit_packet` function initiates packet editing at `tcpedit.c:342` 2. During packet processing, `untrunc_packet` is called at `edit_packet.c:562`, which uses `realloc` to resize the packet buffer 3. The `realloc` operation moves the packet data to a new memory location and frees the original buffer 4. The `fix_ipv6_checksums` function at `edit_packet.c:155:17` continues to use the old pointer to access IPv6 header data 5. This results in a READ operation on freed memory, triggering AddressSanitizer detection 6. The program terminates with heap use-after-free error This vulnerability specifically affects IPv6 packet processing where checksum recalculation is required during packet modification operations, distinguishing it from the similar IPv4 vulnerability by its different call chain and IPv6-specific processing logic. ## AddressSanitizer Report ``` Warning: parse_mpls:suspect Generic Associated Channel Header ================================================================= ==398934==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f8921d6880e at pc 0x558e43f05c68 bp 0x7fff8804cb70 sp 0x7fff8804cb68 READ of size 1 at 0x7f8921d6880e thread T0 #0 0x558e43f05c67 in fix_ipv6_checksums /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcpedit/edit_packet.c:155:17 #1 0x558e43efb4ee in tcpedit_packet /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcpedit/tcpedit.c:342:22 #2 0x558e43ef28d5 in rewrite_packets /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcprewrite.c:296:22 #3 0x558e43ef11ce in main /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcprewrite.c:137:9 #4 0x7f8922677d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #5 0x7f8922677e3f in __libc_start_main csu/../csu/libc-start.c:392:3 #6 0x558e43e169e4 in _start (/workspace/benchmark/fuzzdir/fz-tcpreplay/fz-tcprewrite/tcprewrite+0x859e4) (BuildId: 557d83638ad04334) 0x7f8921d6880e is located 14 bytes inside of 262166-byte region [0x7f8921d68800,0x7f8921da8816) freed by thread T0 here: #0 0x558e43eb0c35 in realloc (/workspace/benchmark/fuzzdir/fz-tcpreplay/fz-tcprewrite/tcprewrite+0x11fc35) (BuildId: 557d83638ad04334) #1 0x558e43ef8579 in our_safe_realloc /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/common/utils.c:66:16 #2 0x558e43ef8579 in untrunc_packet /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcpedit/edit_packet.c:562:22 #3 0x558e43ef8579 in tcpedit_packet /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcpedit/tcpedit.c:262:23 #4 0x558e43ef28d5 in rewrite_packets /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcprewrite.c:296:22 #5 0x558e43ef11ce in main /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcprewrite.c:137:9 #6 0x7f8922677d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 previously allocated by thread T0 here: #0 0x558e43eb080e in malloc (/workspace/benchmark/fuzzdir/fz-tcpreplay/fz-tcprewrite/tcprewrite+0x11f80e) (BuildId: 557d83638ad04334) #1 0x558e43ef254f in our_safe_malloc /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/common/utils.c:42:16 #2 0x558e43ef254f in rewrite_packets /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcprewrite.c:259:34 #3 0x558e43ef11ce in main /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcprewrite.c:137:9 #4 0x7f8922677d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 SUMMARY: AddressSanitizer: heap-use-after-free /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcpedit/edit_packet.c:155:17 in fix_ipv6_checksums ==398934==ABORTING Aborted (core dumped) ``` ## Proof of Concept The vulnerability can be triggered by processing the malformed packet capture file provided as `POC_tcprewrite_ipv6_checksums_use_after_free_155`. This file contains specific IPv6 packet structures with MPLS encapsulation that trigger the IPv6 checksum recalculation path after memory reallocation, leading to the use-after-free condition. **POC File**: [POC_tcprewrite_ipv6_checksums_use_after_free_155](https://drive.google.com/file/d/1BQZF558bRHv07wtlCoZgtqTlEpHgfytp/view?usp=sharing) ## Reproduction Steps 1. Compile tcprewrite with AddressSanitizer enabled 2. Execute: `tcprewrite --fixlen pad -i POC_tcprewrite_ipv6_checksums_use_after_free_155 -o /dev/null` 3. The program will crash with a heap use-after-free error in the IPv6 checksum function ## Affected Versions tcpreplay version 6fcbf03 (the newest master in https://github.com/appneta/tcpreplay) **Credit** - Xudong Cao (UCAS) - Yuqing Zhang (UCAS, Zhongguancun Laboratory)
Source⚠️ https://github.com/appneta/tcpreplay/issues/972
User
 HeureuxBuilding (UID 88810)
Submission08/07/2025 21:22 (8 months ago)
Moderation08/23/2025 17:07 (16 days later)
StatusAccepted
VulDB entry321218 [appneta tcpreplay up to 4.5.1 tcprewrite edit_packet.c fix_ipv6_checksums use after free]
Points20

PreviousOverviewNext

Interested in the pricing of exploits?

See the underground prices here!