CVE-2020-24265
Description
An issue was discovered in tcpreplay tcpprep v4.3.3. There is a heap buffer overflow vulnerability in MemcmpInterceptorCommon() that can make tcpprep crash and cause a denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Heap buffer overflow in tcpreplay's tcpprep v4.3.3 via MemcmpInterceptorCommon() causes crash, leading to denial of service.
Vulnerability
A heap buffer overflow vulnerability exists in tcpreplay's tcpprep component, version 4.3.3. The issue is triggered in the MemcmpInterceptorCommon() function, which is called during packet processing, specifically in get_l2len(). A crafted packet can cause a read of size 3 beyond the allocated heap buffer, leading to a crash [1].
Exploitation
An attacker can exploit this vulnerability by supplying a specially crafted packet to tcpprep. The affected code path is reachable via process_raw_packets() in tcpprep.c without requiring any special privileges beyond the ability to provide the input packet. No user interaction beyond running tcpprep on the malicious input is required [1].
Impact
Successful exploitation results in a denial of service (DoS) via a crash of tcpprep. The AddressSanitizer report confirms a heap-buffer-overflow read; while the primary impact is availability, the read of adjacent heap memory could potentially leak sensitive data, though this is not confirmed [1].
Mitigation
As of the available references, no patched version has been disclosed. The vulnerability is present in tcpreplay version 4.3.3. Users should monitor the official tcpreplay repository for updates. Until a fix is released, avoiding untrusted packet inputs to tcpprep is advised [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- tcpreplay/tcpprepdescription
- Range: = 4.3.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds check in get_l2len() causes a read of 3 bytes from a 2-byte heap buffer."
Attack vector
An attacker provides a crafted pcap file as input to `tcpprep -a client -i [poc] -o a.cach` [ref_id=1]. When `tcpprep` processes the malformed packet, `get_l2len()` reads beyond the allocated buffer boundary, causing a heap-buffer-overflow [ref_id=1]. The overflow is a read of 3 bytes from a 2-byte heap region, leading to a crash and denial of service [ref_id=1]. No authentication or special network access is required; the attacker only needs to supply the malicious file.
Affected code
The heap buffer overflow occurs in `MemcmpInterceptorCommon()` when called via `bcmp` at `get_l2len()` in `src/common/get.c:186`, which is invoked by `get_ipv4()` at `get.c:267` and ultimately by `process_raw_packets()` in `src/tcpprep.c:370` [ref_id=1]. The crash is triggered during a `READ of size 3` on a heap region that is only 2 bytes long [ref_id=1].
What the fix does
The advisory does not include a patch or remediation guidance [ref_id=1]. The issue was reported as a bug in tcpreplay version 4.3.3, and the expected behavior is that `tcpprep` should either produce the cache file or exit cleanly upon encountering abnormal input [ref_id=1]. Without a published fix, users must avoid processing untrusted pcap files with the affected version or apply input validation to ensure packet headers do not exceed their allocated buffer sizes.
Preconditions
- inputAttacker must supply a crafted pcap file that triggers the overflow in get_l2len()
- configVictim must run tcpprep -a client -i [poc] -o a.cach on the malicious file
Reproduction
Download tcpreplay-4.3.3.tar.gz, install libpcap-dev, configure and build. Run `tcpprep -a client -i [poc filename] -o a.cach` with the provided PoC file `poc_tcpprep_heap_buffer_overflow_MemcmpInterceptorCommon.tar.gz` [ref_id=1]. The tool will crash with an AddressSanitizer heap-buffer-overflow at `MemcmpInterceptorCommon` [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EA7K7VKDK2K3SY2DHQQYSCBGZLKPWXJ4/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LC3UMBJFBK5HYUX7H2NGXVFI2I2EMAOF/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M623ONZKOZL5Y7XQNHKXEPV76XYCPXQM/mitrevendor-advisoryx_refsource_FEDORA
- security.gentoo.org/glsa/202105-21mitrevendor-advisoryx_refsource_GENTOO
- github.com/appneta/tcpreplay/issues/616mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.