Bug#829350: tcprewrite: segfault upon huge frames, missing size check

Sat, 02 Jul 2016 10:10:18 -0700 

Package: tcpreplay
Version: 3.4.4-2
Severity: important
Tags: patch

Dear Maintainer,

as previously discussed in other places: The tcprewrite program
(src:tcpreplay) has a compile-time limit of the maximum frame size of
65535 it can handle. However, incoming frames are not checked against
that limit, and such frames do happen in the wild when capturing on the
With an MTU size of 65536 on the capturing host - default since kernel
3.6-ish and Debian jessie -, and and ethernet header added, a frame size
of 65549 exceeds that limit, sometimes resulting in a segmentation
fault. Reproducer available upon request.

As far as I can see this still exists in the not-yet packaged
tcpreplay-4.1.1.

The patch attached raises the limit and also adds a size check.
Additionally, I've prepared debdiffs for wheezy and jessie to address
this in a point release.

If you want more about that package, you know where to find me.

    Christoph

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.4.13 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect


Subject: tcprewrite: Handle frames of 65535 octets size
Author: Christoph Biedl <debian.a...@manchmal.in-ulm.de>
Date: Mon Jun 29 17:08:24 2015 +0200

diff --git a/src/defines.h.in b/src/defines.h.in
index 3a1bf1e..5468d14 100644
--- a/src/defines.h.in
+++ b/src/defines.h.in
@@ -104,7 +104,7 @@ typedef struct tcpr_speed_s tcpr_speed_t;
 #define DEFAULT_MTU 1500        /* Max Transmission Unit of standard ethernet
                                  * don't forget *frames* are MTU + L2 header! */
 
-#define MAXPACKET 65535         /* was 16436 linux loopback, but maybe something is bigger then 
+#define MAXPACKET 65549         /* was 16436 linux loopback, but maybe something is bigger then 
                                    linux loopback */
 
 #define MAX_SNAPLEN 65535       /* tell libpcap to capture the entire packet */
diff --git a/src/tcprewrite.c b/src/tcprewrite.c
index 90a6f2e..9c32a5e 100644
--- a/src/tcprewrite.c
+++ b/src/tcprewrite.c
@@ -253,6 +253,8 @@ rewrite_packets(tcpedit_t *tcpedit, pcap_t *pin, pcap_dumper_t *pout)
         packetnum++;
         dbgx(2, "packet " COUNTER_SPEC " caplen %d", packetnum, pkthdr.caplen);
 
+        if (pkthdr.caplen > MAXPACKET)
+            errx(-1, "Frame too big, caplen %d exceeds %d", pkthdr.caplen, MAXPACKET);
         /* 
          * copy over the packet so we can pad it out if necessary and
          * because pcap_next() returns a const ptr

diff -u tcpreplay-3.4.3/debian/changelog tcpreplay-3.4.3/debian/changelog
--- tcpreplay-3.4.3/debian/changelog
+++ tcpreplay-3.4.3/debian/changelog
@@ -1,3 +1,9 @@
+tcpreplay (3.4.3-2+wheezy2) wheezy-security; urgency=low
+
+  * tcprewrite: Handle frames of 65535 octets size
+
+ -- Christoph Biedl <debian.a...@manchmal.in-ulm.de>  Wed, 08 Jul 2015 
07:49:45 +0200
+
 tcpreplay (3.4.3-2+wheezy1) testing-proposed-updates; urgency=low
 
   * corrected configure to find libpcac again. closes: Bug#634538
only in patch2:
unchanged:
--- tcpreplay-3.4.3.orig/src/tcprewrite.c
+++ tcpreplay-3.4.3/src/tcprewrite.c
@@ -253,6 +253,8 @@
         packetnum++;
         dbgx(2, "packet " COUNTER_SPEC " caplen %d", packetnum, pkthdr.caplen);
 
+        if (pkthdr.caplen > MAXPACKET)
+            errx(-1, "Frame too big, caplen %d exceeds %d", pkthdr.caplen, 
MAXPACKET);
         /* 
          * copy over the packet so we can pad it out if necessary and
          * because pcap_next() returns a const ptr
only in patch2:
unchanged:
--- tcpreplay-3.4.3.orig/src/defines.h.in
+++ tcpreplay-3.4.3/src/defines.h.in
@@ -104,7 +104,7 @@
 #define DEFAULT_MTU 1500        /* Max Transmission Unit of standard ethernet
                                  * don't forget *frames* are MTU + L2 header! 
*/
 
-#define MAXPACKET 65535         /* was 16436 linux loopback, but maybe 
something is bigger then 
+#define MAXPACKET 65549         /* was 16436 linux loopback, but maybe 
something is bigger then 
                                    linux loopback */
 
 #define MAX_SNAPLEN 65535       /* tell libpcap to capture the entire packet */

diff -Nru tcpreplay-3.4.4/debian/changelog tcpreplay-3.4.4/debian/changelog
--- tcpreplay-3.4.4/debian/changelog    2012-07-07 16:20:40.000000000 +0200
+++ tcpreplay-3.4.4/debian/changelog    2016-07-02 17:29:04.000000000 +0200
@@ -1,3 +1,9 @@
+tcpreplay (3.4.4-2+deb8u1) stable; urgency=low
+
+  * tcprewrite: Handle frames of 65535 octets size
+
+ -- Christoph Biedl <debian.a...@manchmal.in-ulm.de>  Wed, 08 Jul 2015 
07:53:00 +0200
+
 tcpreplay (3.4.4-2) unstable; urgency=low
 
   * debian/control fixed lintian error
diff -Nru tcpreplay-3.4.4/debian/patches/enforce-maxpacket.patch 
tcpreplay-3.4.4/debian/patches/enforce-maxpacket.patch
--- tcpreplay-3.4.4/debian/patches/enforce-maxpacket.patch      1970-01-01 
01:00:00.000000000 +0100
+++ tcpreplay-3.4.4/debian/patches/enforce-maxpacket.patch      2016-07-02 
17:27:52.000000000 +0200
@@ -0,0 +1,30 @@
+Subject: tcprewrite: Handle frames of 65535 octets size
+Author: Christoph Biedl <debian.a...@manchmal.in-ulm.de>
+Date: Mon Jun 29 17:08:24 2015 +0200
+
+diff --git a/src/defines.h.in b/src/defines.h.in
+index 3a1bf1e..5468d14 100644
+--- a/src/defines.h.in
++++ b/src/defines.h.in
+@@ -104,7 +104,7 @@ typedef struct tcpr_speed_s tcpr_speed_t;
+ #define DEFAULT_MTU 1500        /* Max Transmission Unit of standard ethernet
+                                  * don't forget *frames* are MTU + L2 header! 
*/
+ 
+-#define MAXPACKET 65535         /* was 16436 linux loopback, but maybe 
something is bigger then 
++#define MAXPACKET 65549         /* was 16436 linux loopback, but maybe 
something is bigger then 
+                                    linux loopback */
+ 
+ #define MAX_SNAPLEN 65535       /* tell libpcap to capture the entire packet 
*/
+diff --git a/src/tcprewrite.c b/src/tcprewrite.c
+index 90a6f2e..9c32a5e 100644
+--- a/src/tcprewrite.c
++++ b/src/tcprewrite.c
+@@ -253,6 +253,8 @@ rewrite_packets(tcpedit_t *tcpedit, pcap_t *pin, 
pcap_dumper_t *pout)
+         packetnum++;
+         dbgx(2, "packet " COUNTER_SPEC " caplen %d", packetnum, 
pkthdr.caplen);
+ 
++        if (pkthdr.caplen > MAXPACKET)
++            errx(-1, "Frame too big, caplen %d exceeds %d", pkthdr.caplen, 
MAXPACKET);
+         /* 
+          * copy over the packet so we can pad it out if necessary and
+          * because pcap_next() returns a const ptr
diff -Nru tcpreplay-3.4.4/debian/patches/series 
tcpreplay-3.4.4/debian/patches/series
--- tcpreplay-3.4.4/debian/patches/series       2012-07-06 23:32:50.000000000 
+0200
+++ tcpreplay-3.4.4/debian/patches/series       2015-07-08 00:46:22.000000000 
+0200
@@ -1 +1,2 @@
 configure-pcap.patch
+enforce-maxpacket.patch

Attachment: signature.asc
Description: Digital signature

Reply via email to