2255212 – (CVE-2023-4256) CVE-2023-4256 tcpreplay: tcprewrite: double free in tcpedit_dlt_cleanup() in plugins/dlt_plugins.c

Bug 2255212 (CVE-2023-4256) - CVE-2023-4256 tcpreplay: tcprewrite: double free in tcpedit_dlt_cleanup() in plugins/dlt_plugins.c

Summary: CVE-2023-4256 tcpreplay: tcprewrite: double free in tcpedit_dlt_cleanup() in ...

Keywords:
Status:	NEW
Alias:	CVE-2023-4256
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2255213 2255214
Blocks:	2224664
TreeView+	depends on / blocked

Reported:	2023-12-19 10:51 UTC by TEJ RATHI
Modified:	2023-12-21 15:41 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	---
Doc Text:	Within tcpreplay's tcprewrite, a double free vulnerability has been identified in the tcpedit_dlt_cleanup() function within plugins/dlt_plugins.c. This vulnerability can be exploited by supplying a specifically crafted file to the tcprewrite binary. This flaw enables a local attacker to initiate a Denial of Service (DoS) attack.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description TEJ RATHI 2023-12-19 10:51:15 UTC

tcprewrite in tcpreplay v4.4.4 and v.4.4.3 has a double free in function tcpedit_dlt_cleanup in plugins/dlt_plugins.c. It can be triggered by sending a crafted file to the tcprewrite binary. It allows a local attacker to cause Denial of Service or possibly have unspecified other impact.

https://github.com/appneta/tcpreplay/issues/813

Comment 1 TEJ RATHI 2023-12-19 10:51:37 UTC

Created tcpreplay tracking bugs for this issue:

Affects: epel-all [bug 2255213]
Affects: fedora-all [bug 2255214]

Comment 2 Bojan Smojver 2023-12-19 22:02:08 UTC

Asked questions in the upstream bug, to see what the problem could actually be here. Cursory look would suggest that perhaps pointers to allocated memory areas are duplicated in two different structures and setting a copy to NULL does not change the original, which then gets freed again. But, just a theory at this point.

Note You need to log in before you can comment on or make changes to this bug.