Etterfilter: Invalid read on crafted file (Segmentation Fault).

[RajUllas]

Etterfilter results in an invalid read of 8 bytes when parsing a crafted file.
As seen in valgrind output the issue occurs in the compile_tree function of the ef_compiler.c source file.

Steps to reproduce (run on current master ettercap branch):
raras@ubuntu: etterfilter crashfile

Expected output (possibly):
File should not be parsed and error message should be printed stating invalid file.
Actual output:
Segmentation Fault

POC crash file is also attached:

crash.txt

Valgrind output is as follows:

raras@ubuntu:~/Desktop$ valgrind etterfilter ~/Desktop/crash
==25860== Memcheck, a memory error detector
==25860== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==25860== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==25860== Command: etterfilter /home/raras/Desktop/crash
==25860==
etterfilter 0.8.2 copyright 2001-2015 Ettercap Development Team
14 protocol tables loaded:
DECODED DATA udp tcp esp gre icmp ipv6 ip arp wifi fddi tr eth
13 constants loaded:
VRRP OSPF GRE UDP TCP ESP ICMP6 ICMP PPTP PPPOE IP6 IP ARP
Parsing source file '/home/raras/Desktop/crash' done.
BUG at [/home/raras/Desktop/ettercap-master/utils/etterfilter/ef_compiler.c:compile_tree:242]
tree_root == NULL
==25860== Invalid read of size 8
==25860== at 0x4E4D7B9: clean_exit (in /usr/local/lib/libettercap.so.0.0.0)
==25860== by 0x4030B0: compile_tree (in /usr/local/bin/etterfilter)
==25860== by 0x4042D3: write_output (in /usr/local/bin/etterfilter)
==25860== by 0x4024BD: main (in /usr/local/bin/etterfilter)
==25860== Address 0x6bc2440 is 8 bytes after a block of size 24 alloc'd
==25860== at 0x4C2CC70: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==25860== by 0x4041A2: globals_alloc (in /usr/local/bin/etterfilter)
==25860== by 0x4023AF: main (in /usr/local/bin/etterfilter)
==25860==
==25860== Invalid read of size 8
==25860== at 0x4E4D7BD: clean_exit (in /usr/local/lib/libettercap.so.0.0.0)
==25860== by 0x4030B0: compile_tree (in /usr/local/bin/etterfilter)
==25860== by 0x4042D3: write_output (in /usr/local/bin/etterfilter)
==25860== by 0x4024BD: main (in /usr/local/bin/etterfilter)
==25860== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==25860==
==25860==
==25860== Process terminating with default action of signal 11 (SIGSEGV)
==25860== Access not within mapped region at address 0x0
==25860== at 0x4E4D7BD: clean_exit (in /usr/local/lib/libettercap.so.0.0.0)
==25860== by 0x4030B0: compile_tree (in /usr/local/bin/etterfilter)
==25860== by 0x4042D3: write_output (in /usr/local/bin/etterfilter)
==25860== by 0x4024BD: main (in /usr/local/bin/etterfilter)
==25860== If you believe this happened as a result of a stack
==25860== overflow in your program's main thread (unlikely but
==25860== possible), you can try to increase the size of the
==25860== main thread stack using the --main-stacksize= flag.
==25860== The main thread stack size used in this run was 8388608.
==25860==
==25860== HEAP SUMMARY:
==25860== in use at exit: 29,146 bytes in 536 blocks
==25860== total heap usage: 644 allocs, 108 frees, 199,745 bytes allocated
==25860==
==25860== LEAK SUMMARY:
==25860== definitely lost: 8 bytes in 1 blocks
==25860== indirectly lost: 0 bytes in 0 blocks
==25860== possibly lost: 0 bytes in 0 blocks
==25860== still reachable: 29,138 bytes in 535 blocks
==25860== suppressed: 0 bytes in 0 blocks
==25860== Rerun with --leak-check=full to see details of leaked memory
==25860==
==25860== For counts of detected and suppressed errors, rerun with: -v
==25860== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)
Segmentation fault

Thanks,
Raj

[LocutusOfBorg]

I pushed a fix in my fix-library branch, thanks for reporting!

[carnil]

This issue has been assigned CVE-2017-6430

[LocutusOfBorg]

patch uploaded in Debian