CVE-2020-24266
Description
An issue was discovered in tcpreplay tcpprep v4.3.3. There is a heap buffer overflow vulnerability in get_l2len() that can make tcpprep crash and cause a denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A heap buffer overflow in tcpreplay's tcpprep v4.3.3, in get_l2len(), can cause a crash leading to denial of service.
Vulnerability
A heap buffer overflow vulnerability exists in tcpreplay version 4.3.3, specifically in the tcpprep tool. The bug is located in the get_l2len() function in src/common/get.c:191 [1]. This function attempts to read data from a packet buffer that has been incorrectly sized, leading to an out-of-bounds read of two bytes. The overflow occurs when processing crafted packet data that triggers the vulnerable code path in process_raw_packets() [1].
Exploitation
To trigger the vulnerability, an attacker needs to provide a maliciously crafted packet capture (pcap) file to tcpprep. No authentication or special privileges are required beyond the ability to supply the input file. The tcpprep tool will attempt to process the file, and during the call to get_l2len(), it reads beyond the allocated heap buffer, causing a heap-buffer-overflow condition [1].
Impact
A successful exploit causes tcpprep to crash, resulting in a denial of service (DoS) condition. The AddressSanitizer (ASan) report confirms a heap-buffer-overflow read of size 2, with the faulting address located immediately after a 4-byte allocated region [1]. There is no evidence of code execution or information disclosure; the primary impact is availability loss.
Mitigation
As of the publication date (2020-10-19), no official patch has been released for tcpreplay 4.3.3. The issue was reported on the project's GitHub issue tracker [1]. For users of Fedora, package announcements referencing this CVE were made [2][3][4], though these references are behind an automated challenge page and do not provide actionable mitigation details. Users should monitor the upstream repository for a patched release and consider limiting exposure by restricting pcap file inputs from untrusted sources.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- tcpreplay/tcpprepdescription
- Range: = 4.3.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds checking in get_l2len() allows reading 2 bytes past the end of a heap-allocated buffer when processing a malformed packet."
Attack vector
An attacker provides a crafted pcap file as input to `tcpprep -a client -i [poc_filename] -o a.cach` [ref_id=1]. When `tcpprep` processes the malicious packet, `get_l2len()` reads 2 bytes beyond the end of a heap-allocated buffer, causing a heap-buffer-overflow [ref_id=1]. This results in a crash (denial of service) [ref_id=1]. No authentication or special privileges are required; the attacker only needs to supply the malformed pcap file.
Affected code
The heap buffer overflow occurs in the `get_l2len()` function in `/src/tcpreplay-4.3.3/src/common/get.c` at line 191:22 [ref_id=1]. The call chain is `main` → `process_raw_packets` (tcpprep.c:370) → `get_ipv4` (get.c:267) → `get_l2len` (get.c:191) [ref_id=1].
What the fix does
The advisory does not include a patch or official fix [ref_id=1]. The reporter expected that tcpprep should either produce a valid cache file or exit gracefully when encountering abnormal input, rather than crash [ref_id=1]. Without a published fix, users must avoid processing untrusted pcap files with tcpreplay 4.3.3 or apply input-length validation in `get_l2len()` to prevent out-of-bounds reads.
Preconditions
- inputAttacker must supply a crafted pcap file that triggers the heap-buffer-overflow in get_l2len()
- configVictim must run tcpprep (from tcpreplay 4.3.3) with the malicious pcap as input
Reproduction
Download tcpreplay-4.3.3.tar.gz, install libpcap-dev, then build and install tcpreplay. Run: `tcpprep -a client -i [poc_filename] -o a.cach` with the provided PoC pcap file [ref_id=1]. The tool will crash with a heap-buffer-overflow in `get_l2len()` as shown in the ASAN report [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EA7K7VKDK2K3SY2DHQQYSCBGZLKPWXJ4/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LC3UMBJFBK5HYUX7H2NGXVFI2I2EMAOF/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M623ONZKOZL5Y7XQNHKXEPV76XYCPXQM/mitrevendor-advisoryx_refsource_FEDORA
- security.gentoo.org/glsa/202105-21mitrevendor-advisoryx_refsource_GENTOO
- github.com/appneta/tcpreplay/issues/617mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.