From 030859fce9c77417de657b9bb29c0f78c2d68f4a Mon Sep 17 00:00:00 2001 From: Denis Ovsienko Date: Thu, 30 Dec 2021 17:52:52 +0000 Subject: [PATCH] CVE-2021-41043: Fix a use-after-free in extract_slice(). This issue was discovered by Mohammad Hosein Askari (@C0NSTANTINE110), see GitHub issue #11. In extract_slice() pcap_dump_open() takes a pcap_t argument to tell which DLT to use for the output file. This used to be the pcap_t of the first input file, as main() requires at least one input file. However, the loop before pcap_dump_open() closes all, including the first, input files that don't meet a test condition. This way, when the first file didn't meet the condition, the call to pcap_dump_open() would end up as a use-after-free. Make the pcap_dump_open() call before the loop, when the first array element is always valid, and fix this problem. --- diff --git a/tcpslice-1.2a3/tcpslice.c b/tcpslice-1.2a3/tcpslice.c index 6d08473..7c0f4a0 100644 --- a/tcpslice-1.2a3/tcpslice.c +++ b/tcpslice-1.2a3/tcpslice.c @@ -841,6 +841,13 @@ extract_slice(struct state *states, const int numfiles, const char *write_file_n TV_SUB(start_time, base_time, &relative_start); TV_SUB(stop_time, base_time, &relative_stop); + /* Always write the output file, use the first input file's DLT. */ + dumper = pcap_dump_open(states[0].p, write_file_name); + if (!dumper) { + error("error creating output file '%s': %s", + write_file_name, pcap_geterr(states[0].p)); + } + for (i = 0; i < numfiles; ++i) { s = &states[i]; @@ -879,12 +886,6 @@ extract_slice(struct state *states, const int numfiles, const char *write_file_n get_next_packet(s); } - dumper = pcap_dump_open(states->p, write_file_name); - if (! dumper) { - error( "error creating output file %s: ", - write_file_name, pcap_geterr( states->p ) ); - } - /* * Now, loop thru all the packets in all the files,