CVE-2018-18408

Vulnerability

A use-after-free vulnerability exists in the tcpbridge binary of Tcpreplay version 4.3.0 beta1 [1][2]. The bug occurs in the post_args() function at src/tcpbridge.c line 219 [2]. After calling sendpacket_close() (which frees the sendpacket_t struct), the code attempts to memcpy from eth_buff — a pointer to memory inside the freed structure — into options.intf1_mac, resulting in a read of freed heap memory [2]. The affected version is 4.3.0 beta1 [1][2].

Exploitation

An attacker can trigger the use-after-free by running tcpbridge --intf1=en7 against a network interface accessible to the user [2]. No special privileges beyond the ability to execute the tcpbridge binary are required; the attack does not require authentication or user interaction beyond starting the tool. The freed memory region of size 1208 bytes remains accessible, and the read of 6 bytes occurs immediately after the free [2].

Impact

Successful exploitation leads to a heap use-after-free read, which can cause a denial of service (application crash) and potentially other unspecified impacts such as information disclosure [1][2]. The AddressSanitizer output confirms a read of size 6 from freed heap memory at tcpbridge.c:219 [2].

Mitigation

No official fix has been released for the affected version [1][2]. Users should avoid running tcpbridge on untrusted interfaces or inputs, and monitor the vendor repository for patches. The Tcpreplay project may address this issue in a future release beyond 4.3.0 beta1. References from Fedora lists are not accessible due to a bot-detection challenge [3][4].