Submit #630498: tcpreplay tcprewrite tcpreplay version 6fcbf03 (the newest master in https://github.com/appneta/tcpreplay) Use-After-Freeinfo

Titletcpreplay tcprewrite tcpreplay version 6fcbf03 (the newest master in https://github.com/appneta/tcpreplay) Use-After-Free
Description# TCPREWRITE Protocol Length Use-After-Free Vulnerability in get_l2len_protocol Function ## Summary A critical use-after-free vulnerability exists in the tcprewrite utility from the tcpreplay package. The vulnerability occurs in the `get_l2len_protocol` function within `get.c` at line 360, triggered when processing packet protocol information after memory reallocation. This vulnerability affects Layer 2 protocol length calculation and leads to heap use-after-free memory access, causing program termination with SIGABRT. ## Technical Details - **Vulnerability Type**: Heap Use-After-Free - **Affected Function**: `get_l2len_protocol` - **Source File**: `get.c` - **Line Number**: 360:22 - **Signal**: SIGABRT (06) ## Vulnerability Mechanism and Root Cause This use-after-free vulnerability is specific to Layer 2 protocol length calculation during packet editing operations. The vulnerability occurs when the `get_l2len_protocol` function attempts to access packet memory that has been reallocated by the `untrunc_packet` function, but the function continues to use the original, now-freed memory pointer for protocol header analysis. The vulnerability sequence occurs as follows: 1. The `tcpedit_packet` function initiates packet editing and calls `tcpedit_dlt_merge_l3data` at `tcpedit.c:354` 2. Control flows through the DLT plugin system to `dlt_en10mb_merge_layer3` at `en10mb.c:815` 3. The `dlt_en10mb_l2len` function is called at `en10mb.c:890` to determine Layer 2 header length 4. This calls `get_l2len` at `get.c:462`, which in turn calls `get_l2len_protocol` at `get.c:360` 5. Meanwhile, `untrunc_packet` has been called at `edit_packet.c:562`, using `realloc` to resize the packet buffer 6. The `get_l2len_protocol` function at `get.c:360:22` continues to use the old pointer to access protocol data 7. This results in a READ operation on freed memory, triggering AddressSanitizer detection 8. The program terminates with heap use-after-free error This vulnerability specifically affects protocol parsing during DLT (Data Link Type) processing, distinguishing it from checksum-related vulnerabilities by its different execution path through the network protocol stack. ## AddressSanitizer Report ``` ================================================================= ==398954==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f239863f80c at pc 0x5612fa3b3290 bp 0x7ffd092dff70 sp 0x7ffd092dff68 READ of size 2 at 0x7f239863f80c thread T0 #0 0x5612fa3b328f in get_l2len_protocol /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/common/get.c:360:22 #1 0x5612fa3b385c in get_l2len /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/common/get.c:462:15 #2 0x5612fa394eb7 in dlt_en10mb_l2len /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcpedit/plugins/dlt_en10mb/en10mb.c:890:13 #3 0x5612fa395206 in dlt_en10mb_merge_layer3 /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcpedit/plugins/dlt_en10mb/en10mb.c:815:13 #4 0x5612fa368a76 in tcpedit_dlt_merge_l3data /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcpedit/plugins/dlt_plugins.c:395:11 #5 0x5612fa368a76 in tcpedit_packet /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcpedit/tcpedit.c:354:5 #6 0x5612fa35f8d5 in rewrite_packets /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcprewrite.c:296:22 #7 0x5612fa35e1ce in main /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcprewrite.c:137:9 #8 0x7f2398f4ed8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #9 0x7f2398f4ee3f in __libc_start_main csu/../csu/libc-start.c:392:3 #10 0x5612fa2839e4 in _start (/workspace/benchmark/fuzzdir/fz-tcpreplay/fz-tcprewrite/tcprewrite+0x859e4) (BuildId: 557d83638ad04334) 0x7f239863f80c is located 12 bytes inside of 262166-byte region [0x7f239863f800,0x7f239867f816) freed by thread T0 here: #0 0x5612fa31dc35 in realloc (/workspace/benchmark/fuzzdir/fz-tcpreplay/fz-tcprewrite/tcprewrite+0x11fc35) (BuildId: 557d83638ad04334) #1 0x5612fa365579 in our_safe_realloc /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/common/utils.c:66:16 #2 0x5612fa365579 in untrunc_packet /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcpedit/edit_packet.c:562:22 #3 0x5612fa365579 in tcpedit_packet /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcpedit/tcpedit.c:262:23 #4 0x5612fa35f8d5 in rewrite_packets /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcprewrite.c:296:22 #5 0x5612fa35e1ce in main /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcprewrite.c:137:9 #6 0x7f2398f4ed8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 previously allocated by thread T0 here: #0 0x5612fa31d80e in malloc (/workspace/benchmark/fuzzdir/fz-tcpreplay/fz-tcprewrite/tcprewrite+0x11f80e) (BuildId: 557d83638ad04334) #1 0x5612fa35f54f in our_safe_malloc /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/common/utils.c:42:16 #2 0x5612fa35f54f in rewrite_packets /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcprewrite.c:259:34 #3 0x5612fa35e1ce in main /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcprewrite.c:137:9 #4 0x7f2398f4ed8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 SUMMARY: AddressSanitizer: heap-use-after-free /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/common/get.c:360:22 in get_l2len_protocol ==398954==ABORTING Aborted (core dumped) ``` ## Proof of Concept The vulnerability can be triggered by processing the malformed packet capture file provided as `POC_tcprewrite_protocol_length_use_after_free_360`. This file contains specific packet structures that trigger the Layer 2 protocol length calculation path through the DLT processing system after memory reallocation, leading to the use-after-free condition. **POC File**: [POC_tcprewrite_protocol_length_use_after_free_360](https://drive.google.com/file/d/1DcQWaTmj1HSbRidOCWwe9vtgHsBnFuX7/view?usp=sharing) ## Reproduction Steps 1. Compile tcprewrite with AddressSanitizer enabled 2. Execute: `tcprewrite --fixlen pad -i POC_tcprewrite_protocol_length_use_after_free_360 -o /dev/null` 3. The program will crash with a heap use-after-free error in the protocol length function ## Affected Versions tcpreplay version 6fcbf03 (the newest master in https://github.com/appneta/tcpreplay) **Credit** - Xudong Cao (UCAS) - Yuqing Zhang (UCAS, Zhongguancun Laboratory)
Source⚠️ https://github.com/appneta/tcpreplay/issues/973
User
 HeureuxBuilding (UID 88810)
Submission08/07/2025 21:23 (8 months ago)
Moderation08/23/2025 17:09 (16 days later)
StatusAccepted
VulDB entry321219 [appneta tcpreplay up to 4.5.1 tcprewrite get.c get_l2len_protocol use after free]
Points20

PreviousOverviewNext

Want to know what is going to be exploited?

We predict KEV entries!