From 030859fce9c77417de657b9bb29c0f78c2d68f4a Mon Sep 17 00:00:00 2001 From: Denis Ovsienko Date: Thu, 30 Dec 2021 17:52:52 +0000 Subject: [PATCH] CVE-2021-41043: Fix a use-after-free in extract_slice(). This issue was discovered by Mohammad Hosein Askari (@C0NSTANTINE110), see GitHub issue #11. In extract_slice() pcap_dump_open() takes a pcap_t argument to tell which DLT to use for the output file. This used to be the pcap_t of the first input file, as main() requires at least one input file. However, the loop before pcap_dump_open() closes all, including the first, input files that don't meet a test condition. This way, when the first file didn't meet the condition, the call to pcap_dump_open() would end up as a use-after-free. Make the pcap_dump_open() call before the loop, when the first array element is always valid, and fix this problem. --- diff --git a/tcpslice-1.3/tcpslice.c b/tcpslice-1.3/tcpslice.c index e7b9ba8..507dd1b 100644 --- a/tcpslice-1.3/tcpslice.c +++ b/tcpslice-1.3/tcpslice.c @@ -838,6 +838,13 @@ extract_slice(struct state *states, int numfiles, const char *write_file_name, TV_SUB(start_time, base_time, &relative_start); TV_SUB(stop_time, base_time, &relative_stop); + /* Always write the output file, use the first input file's DLT. */ + global_dumper = pcap_dump_open(states[0].p, write_file_name); + if (!global_dumper) { + error("error creating output file '%s': %s", + write_file_name, pcap_geterr(states[0].p)); + } + for (i = 0; i < numfiles; ++i) { s = &states[i]; @@ -876,12 +883,6 @@ extract_slice(struct state *states, int numfiles, const char *write_file_name, get_next_packet(s); } - global_dumper = pcap_dump_open(states->p, write_file_name); - if (!global_dumper) { - error( "error creating output file %s: %s", - write_file_name, pcap_geterr( states->p ) ); - } - /* * Now, loop thru all the packets in all the files,