tcpreplay
tcpreplay copied to clipboard
appneta
[Bug] AddressSanitizer: stack-buffer-overflow on csum_replace16 in tcpreplay/src/tcpedit/incremental_checksum.h:96
Desctiption
When I used the csum_replace16 function to handle a specific input, AddressSanitizer: stack-buffer-overflow on csum_replace16 in tcpreplay/src/tcpedit/incremental_checksum.h:96
https://github.com/appneta/tcpreplay/blob/6fcbf0324088561d95c356fe8337f4faac275f1a/src/tcpedit/incremental_checksum.h#L91-L106
Test Environment
Ubuntu 22.04.1, 64bit tcpreplay(v4.5.1 master https://github.com/appneta/tcpreplay/commit/6fcbf0324088561d95c356fe8337f4faac275f1a) program source file
How to trigger
Download the poc file , program and run the following cmd:
$ ./csum_replace16 ./poc
Detail
ASAN report
(gdb) r
Starting program: /data/ambrose/output/tcpreplay_deepseek24/crashes/edit_packet.c/ipv6_l34_csum_replace/csum_replace16/csum_replace16 output/default/crashes/id:000000,sig:06,src:000003,time:56,execs:43,op:havoc,rep:15
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
=================================================================
==136985==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7bfff5c09084 at pc 0x555555669579 bp 0x7fffffffd8f0 sp 0x7fffffffd8e8
READ of size 4 at 0x7bfff5c09084 thread T0
[Detaching after fork from child process 144456]
#0 0x555555669578 in csum_replace16 /home/ambrose/vsproject/TestLib/tcpreplay/src/tcpedit/incremental_checksum.h:96:14
#1 0x5555556690bd in main /data/ambrose/output/tcpreplay_deepseek24/harness/code/edit_packet.c/ipv6_l34_csum_replace/csum_replace16.c:49:5
#2 0x7ffff7c29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#3 0x7ffff7c29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#4 0x555555582414 in _start (/data/ambrose/output/tcpreplay_deepseek24/crashes/edit_packet.c/ipv6_l34_csum_replace/csum_replace16/csum_replace16+0x2e414) (BuildId: 37cb671cb8e50c37dc8963b7d64a2706713a2cb9)
Address 0x7bfff5c09084 is located in stack of thread T0 at offset 132 in frame
#0 0x555555668a07 in main /data/ambrose/output/tcpreplay_deepseek24/harness/code/edit_packet.c/ipv6_l34_csum_replace/csum_replace16.c:16
This frame has 5 object(s):
[32, 34) 'old' (line 30)
[48, 50) 'new' (line 30)
[64, 84) 'tcp_hdr' (line 41)
[128, 132) 'old_be32' (line 45) <== Memory access at offset 132 overflows this variable
[144, 148) 'new_be32' (line 46)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/ambrose/vsproject/TestLib/tcpreplay/src/tcpedit/incremental_checksum.h:96:14 in csum_replace16
Shadow bytes around the buggy address:
0x7bfff5c08e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7bfff5c08e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7bfff5c08f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7bfff5c08f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7bfff5c09000: f1 f1 f1 f1 02 f2 02 f2 00 00 04 f2 f2 f2 f2 f2
=>0x7bfff5c09080:[04]f2 04 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x7bfff5c09100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7bfff5c09180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7bfff5c09200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7bfff5c09280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7bfff5c09300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==136985==ABORTING
