heap buffer overflow in tcptrace

Bug #1755648 reported by JinHuang
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tcptrace (Ubuntu)
New
Undecided
JinHuang

Bug Description

Our Team found a heap buffer overflow bug in tcptrace while fuzzing it with a malformed packet.

The problem package is https://launchpad.net/ubuntu/+source/tcptrace

Some other information about it:

xxx@ubuntu:~/work$ which tcptrace
/usr/bin/tcptrace

1) The release of Ubuntu you are using, via 'lsb_release -rd' or System -> About Ubuntu

Description: Ubuntu 14.04.5 LTS
Release: 14.04

2) The version of the package you are using, via 'apt-cache policy pkgname' or by checking in Software Center

tcptrace:
  Installed: 6.6.7-5
  Candidate: 6.6.7-5
  Version table:
 *** 6.6.7-5 0
        100 /var/lib/dpkg/status
     6.6.7-4.1 0
        500 http://mirrors.aliyun.com/ubuntu/ trusty/universe amd64 Packages

3) What you expected to happen

tcptrace not crash.

4) What happened instead

tcptrace crashed with "Segmentation fault".

The call stack with the crash input is:

#0 0x0000000000417d96 in MemCpy (vp1=0x88b270, vp2=0x7ff47814701e,
    n=0xfffffffffffcf261) at tcptrace.c:2620
#1 0x0000000000411b8f in callback (user=0x0, phdr=0x7ffea3d60410,
    buf=0x7ff478147010 "") at tcpdump.c:116
#2 0x00007ff47b52ab71 in ?? () from /usr/lib/x86_64-linux-gnu/libpcap.so.0.8
#3 0x00000000004122aa in pread_tcpdump (ptime=0x674670 <current_time>,
    plen=0x7ffea3d604f4, ptlen=0x7ffea3d604f8, pphys=0x7ffea3d60520,
    pphystype=0x7ffea3d604f0, ppip=0x7ffea3d60510, pplast=0x7ffea3d60528)
    at tcpdump.c:247
#4 0x0000000000413b74 in ProcessFile (
    filename=0x7ffea3d6211f "tcptrace-input.dmp") at tcptrace.c:966
#5 0x00000000004134b2 in main (argc=0x1, argv=0x7ffea3d607b8)
    at tcptrace.c:785
#6 0x00007ff47b169ec5 in __libc_start_main (main=0x4132ba <main>, argc=0x2,
    argv=0x7ffea3d607b8, init=<optimized out>, fini=<optimized out>,
    rtld_fini=<optimized out>, stack_end=0x7ffea3d607a8) at libc-start.c:287
#7 0x0000000000402469 in _start ()

credit:
ADLab of Venustech

Revision history for this message
JinHuang (101huang) wrote :
Changed in tcptrace (Ubuntu):
assignee: nobody → JinHuang (101huang)
assignee: JinHuang (101huang) → nobody
JinHuang (101huang)
summary: - tcptrace crashed with malformed packet
+ heap buffer overflow in tcptrace
JinHuang (101huang)
Changed in tcptrace (Ubuntu):
assignee: nobody → JinHuang (101huang)
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.