Heap-Buffer-Overflow in LightPcapNg Enhanced Packet Block (EPB) parsing

[TYGLS]

Bug description

Describe the bug

A heap-buffer-overflow vulnerability was found in the LightPcapNg parser (bundled in 3rdParty/LightPcapNg). The issue occurs in parse_by_block_type() at line 172 of light_pcapng.c, where memcpy() is called with an unvalidated captured_packet_length value read directly from the file. This allows an attacker to trigger a heap-buffer-overflow read, potentially leading to information disclosure or denial of service.

To Reproduce
Steps to reproduce the behavior:

1. Clone the pcapplusplus repository and build it refer to oss-fuzz.

export CC=clang \
    CXX=clang++ \
    CFLAGS='-fsanitize=address -O0 -g' \
    CXXFLAGS='-fsanitize=address -O0 -g' \
    LIB_FUZZING_ENGINE='-fsanitize=fuzzer'

2. Run the PoC using FuzzTargetNg:

poc.zip

The PoC is provided as a zip archive. After extracting, run:

./FuzzTargetNg ./poc

ASAN Report

~/fuzz$ ./fuzzers/FuzzTargetNg ./crashes/poc 
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 2532037274
./fuzzers/FuzzTargetNg: Running 1 inputs 1 time(s) each.
Running: ./crashes/poc
Read 0 packets successfully and 0 packets could not be read
OS is ''; Hardware is '''; CaptureApplication is 'Editcap 1.10.6'; CaptureFileComment is ''
=================================================================
==680420==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x50f0000000e4 at pc 0x5607f88dd0a6 bp 0x7ffffdf74b30 sp 0x7ffffdf742f0
READ of size 524430 at 0x50f0000000e4 thread T0
    #0 0x5607f88dd0a5 in __asan_memcpy (/home/hexijie/fuzz/fuzzers/FuzzTargetNg+0x1c80a5) (BuildId: c3e94d39ab6e549dfa1264e994b2800447343b97)
    #1 0x5607f8958c15 in parse_by_block_type /home/hexijie/fuzz/project/PcapPlusPlus/3rdParty/LightPcapNg/LightPcapNg/src/light_pcapng.c:172:10
    #2 0x5607f895984b in light_read_record /home/hexijie/fuzz/project/PcapPlusPlus/3rdParty/LightPcapNg/LightPcapNg/src/light_pcapng.c:377:4
    #3 0x5607f8957643 in light_get_next_packet /home/hexijie/fuzz/project/PcapPlusPlus/3rdParty/LightPcapNg/LightPcapNg/src/light_pcapng_ext.c:397:3
    #4 0x5607f8935280 in pcpp::PcapNgFileReaderDevice::getNextPacketInternal(pcpp::RawPacket&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>*) /home/hexijie/fuzz/project/PcapPlusPlus/Pcap++/src/PcapFileDevice.cpp:894:8
    #5 0x5607f892a40a in pcpp::IFileReaderDevice::getNextPackets(pcpp::PointerVector<pcpp::RawPacket, std::default_delete<pcpp::RawPacket>>&, int) /home/hexijie/fuzz/project/PcapPlusPlus/Pcap++/src/PcapFileDevice.cpp:285:22
    #6 0x5607f8920649 in LLVMFuzzerTestOneInput /home/hexijie/fuzz/project/PcapPlusPlus/Tests/Fuzzers/FuzzTarget.cpp:46:14
    #7 0x5607f882b0c4 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/hexijie/fuzz/fuzzers/FuzzTargetNg+0x1160c4) (BuildId: c3e94d39ab6e549dfa1264e994b2800447343b97)
    #8 0x5607f88141f6 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/hexijie/fuzz/fuzzers/FuzzTargetNg+0xff1f6) (BuildId: c3e94d39ab6e549dfa1264e994b2800447343b97)
    #9 0x5607f8819caa in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/hexijie/fuzz/fuzzers/FuzzTargetNg+0x104caa) (BuildId: c3e94d39ab6e549dfa1264e994b2800447343b97)
    #10 0x5607f8844466 in main (/home/hexijie/fuzz/fuzzers/FuzzTargetNg+0x12f466) (BuildId: c3e94d39ab6e549dfa1264e994b2800447343b97)
    #11 0x7ff77a82a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #12 0x7ff77a82a28a in __libc_start_main csu/../csu/libc-start.c:360:3
    #13 0x5607f880edc4 in _start (/home/hexijie/fuzz/fuzzers/FuzzTargetNg+0xf9dc4) (BuildId: c3e94d39ab6e549dfa1264e994b2800447343b97)

0x50f0000000e4 is located 0 bytes after 164-byte region [0x50f000000040,0x50f0000000e4)
allocated by thread T0 here:
    #0 0x5607f88df3dd in calloc (/home/hexijie/fuzz/fuzzers/FuzzTargetNg+0x1ca3dd) (BuildId: c3e94d39ab6e549dfa1264e994b2800447343b97)
    #1 0x5607f89597ce in light_read_record /home/hexijie/fuzz/project/PcapPlusPlus/3rdParty/LightPcapNg/LightPcapNg/src/light_pcapng.c:354:27
    #2 0x5607f8957643 in light_get_next_packet /home/hexijie/fuzz/project/PcapPlusPlus/3rdParty/LightPcapNg/LightPcapNg/src/light_pcapng_ext.c:397:3
    #3 0x5607f8935280 in pcpp::PcapNgFileReaderDevice::getNextPacketInternal(pcpp::RawPacket&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>*) /home/hexijie/fuzz/project/PcapPlusPlus/Pcap++/src/PcapFileDevice.cpp:894:8
    #4 0x5607f892a40a in pcpp::IFileReaderDevice::getNextPackets(pcpp::PointerVector<pcpp::RawPacket, std::default_delete<pcpp::RawPacket>>&, int) /home/hexijie/fuzz/project/PcapPlusPlus/Pcap++/src/PcapFileDevice.cpp:285:22

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/hexijie/fuzz/fuzzers/FuzzTargetNg+0x1c80a5) (BuildId: c3e94d39ab6e549dfa1264e994b2800447343b97) in __asan_memcpy
Shadow bytes around the buggy address:
  0x50effffffe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x50effffffe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x50efffffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x50efffffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x50f000000000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x50f000000080: 00 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa
  0x50f000000100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x50f000000180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x50f000000200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x50f000000280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x50f000000300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==680420==ABORTING

Screenshots

• actual_len = 0x80090 (524432 bytes)
• epb->packet_data points to a heap buffer far smaller than the requested copy length.
• The captured_packet_length variable is optimized out in the build, but the ASAN log confirms the overflow size matches the malicious value from the PoC.

PcapPlusPlus versions tested on

v25.05

Other PcapPlusPlus version (if applicable)

No response

Operating systems tested on

Linux

Other operation systems (if applicable)

No response

Compiler version

Ubuntu clang version 18.1.3 (1ubuntu1)

Packet capture backend (if applicable)

No response

[seladb]

@TYGLS would you consider opening a PR with the fix?

[TYGLS]

@seladb I’m not very familiar with the project’s codebase and conventions, so I’m afraid my change might unintentionally break existing functionality. I’d rather leave it to someone more familiar with the code.

[seladb]

@seladb I’m not very familiar with the project’s codebase and conventions, so I’m afraid my change might unintentionally break existing functionality. I’d rather leave it to someone more familiar with the code.

You can always try, or use the help of LLMs 🙂

[seladb]

@TYGLS can you please check if all the issues you opened are not already in Google OSS Fuzz?

[TYGLS]

@seladb Thanks for the reminder. I have reviewed the issues and closed those that were duplicates of existing entries in OSS-Fuzz.

[seladb]

Thank you @TYGLS ! I'm curious how did you find these additional bugs? Did you run fuzzing yourself, or used AI (or both)?

[TYGLS]

@seladb I ran my own fuzzing tailored to the target.

[seladb]

Got it, makes sense. Thanks @TYGLS ! 🙏