Bug 2255212 (CVE-2023-4256) - CVE-2023-4256 tcpreplay: tcprewrite: double free in tcpedit_dlt_cleanup() in plugins/dlt_plugins.c
Summary: CVE-2023-4256 tcpreplay: tcprewrite: double free in tcpedit_dlt_cleanup() in ...
Status: NEW
Alias: CVE-2023-4256
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Product Security
QA Contact:
Depends On: 2255213 2255214
Blocks: 2224664
TreeView+ depends on / blocked
Reported: 2023-12-19 10:51 UTC by TEJ RATHI
Modified: 2023-12-21 15:41 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: ---
Doc Text:
Within tcpreplay's tcprewrite, a double free vulnerability has been identified in the tcpedit_dlt_cleanup() function within plugins/dlt_plugins.c. This vulnerability can be exploited by supplying a specifically crafted file to the tcprewrite binary. This flaw enables a local attacker to initiate a Denial of Service (DoS) attack.
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description TEJ RATHI 2023-12-19 10:51:15 UTC
tcprewrite in tcpreplay v4.4.4 and v.4.4.3 has a double free in function tcpedit_dlt_cleanup in plugins/dlt_plugins.c. It can be triggered by sending a crafted file to the tcprewrite binary. It allows a local attacker to cause Denial of Service or possibly have unspecified other impact.


Comment 1 TEJ RATHI 2023-12-19 10:51:37 UTC
Created tcpreplay tracking bugs for this issue:

Affects: epel-all [bug 2255213]
Affects: fedora-all [bug 2255214]

Comment 2 Bojan Smojver 2023-12-19 22:02:08 UTC
Asked questions in the upstream bug, to see what the problem could actually be here. Cursory look would suggest that perhaps pointers to allocated memory areas are duplicated in two different structures and setting a copy to NULL does not change the original, which then gets freed again. But, just a theory at this point.

Note You need to log in before you can comment on or make changes to this bug.