CVE-2023-27783
Description
An issue found in TCPreplay tcprewrite v.4.4.3 allows a remote attacker to cause a denial of service via the tcpedit_dlt_cleanup function at plugins/dlt_plugins.c.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An assertion failure in TCPreplay tcprewrite v4.4.3's tcpedit_dlt_cleanup() function allows a remote attacker to cause a denial of service via a crafted pcap file.
Vulnerability
An issue found in TCPreplay tcprewrite v4.4.3 allows a remote attacker to cause a denial of service via the tcpedit_dlt_cleanup function at plugins/dlt_plugins.c. The bug is triggered when tcprewrite processes a crafted pcap file in DLT_JUNIPER_ETHER mode, where the dlt_jnpr_ether_cleanup callback passes a NULL context pointer (ctx=0x0) to tcpedit_dlt_cleanup, which then hits a reachable assertion (assert(ctx)) on line 462 [1][2].
Exploitation
An attacker needs no authentication; only the ability to supply a crafted pcap file to the target system running tcprewrite. The steps are: (1) create a malformed pcap file that causes DLT_JUNIPER_ETHER context to be set up in a way that leaves the plugin context pointer NULL, (2) induce the victim to run tcprewrite --dlt="jnpr_eth" -i -o /dev/null. The program then crashes due to the assertion failure [1][2].
Impact
A successful exploit causes the tcprewrite process to abort, resulting in a denial of service. No code execution or elevation of privilege is reported; the impact is limited to availability [1][2].
Mitigation
The fix is provided in GitHub pull request #781 (merged after the advisory) [1]. The corrected code adds a NULL check for the sub-context pointer before calling tcpedit_dlt_cleanup in the dlt_jnpr_ether_cleanup function. Users should update to a patched version of TCPreplay (post-v4.4.3). No workaround is documented; developers have addressed the root cause by patching the plugin cleanup logic [1][2].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
6- osv-coords5 versionspkg:rpm/opensuse/tcpreplay&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/tcpreplay&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/tcpreplay&distro=openSUSE%20Tumbleweedpkg:rpm/suse/tcpreplay&distro=SUSE%20Package%20Hub%2015%20SP4pkg:rpm/suse/tcpreplay&distro=SUSE%20Package%20Hub%2015%20SP5
< 4.4.4-bp155.2.3.1+ 4 more
- (no CPE)range: < 4.4.4-bp155.2.3.1
- (no CPE)range: < 4.4.4-bp155.2.3.1
- (no CPE)range: < 4.4.4-1.1
- (no CPE)range: < 4.4.4-bp155.2.3.1
- (no CPE)range: < 4.4.4-bp155.2.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing NULL pointer check in dlt_jnpr_ether_cleanup before calling tcpedit_dlt_cleanup with a sub-context that may be NULL."
Attack vector
An attacker crafts a pcap file with DLT_JUNIPER_ETHER data link type that triggers a code path where the sub-context pointer passed to tcpedit_dlt_cleanup is NULL [ref_id=2]. The attacker supplies this file as input to tcprewrite with the --dlt="jnpr_eth" flag [ref_id=2]. When tcprewrite processes the file, the call chain reaches dlt_jnpr_ether_cleanup at plugins/dlt_jnpr_ether/jnpr_ether.c:171, which calls tcpedit_dlt_cleanup with a NULL ctx argument [ref_id=2]. The assertion at plugins/dlt_plugins.c:462 (`Assertion 'ctx' failed`) terminates the program, causing a denial of service [ref_id=2].
Affected code
The vulnerable code is in plugins/dlt_jnpr_ether/jnpr_ether.c at the dlt_jnpr_ether_cleanup function (line 171) [ref_id=2]. This function calls tcpedit_dlt_cleanup in plugins/dlt_plugins.c (line 462) without first checking whether the sub-context pointer is NULL [ref_id=2]. The fix is in pull request #781 which adds a NULL check before the cleanup call [ref_id=1].
What the fix does
The fix in pull request #781 adds a NULL check for the sub-context pointer before calling tcpedit_dlt_cleanup in the dlt_jnpr_ether_cleanup function [ref_id=1]. The commit message is "dlt_jnpr_ether_cleanup: check subctx before cleanup" [ref_id=1]. This prevents the reachable assertion by ensuring that tcpedit_dlt_cleanup is only invoked when the sub-context is non-NULL, matching the defensive pattern used by other DLT cleanup handlers.
Preconditions
- inputAttacker must supply a crafted pcap file that triggers the DLT_JUNIPER_ETHER code path with a NULL sub-context.
- configUser must run tcprewrite with --dlt="jnpr_eth" (or equivalent) pointing to the crafted file.
Reproduction
1. Compile tcpreplay version 4.4.3 (commit bcb107a). 2. Obtain the PoC pcap file referenced in the issue (linked from the GitHub issue). 3. Run: `./tcprewrite --dlt="jnpr_eth" -i $POC -o /dev/null` 4. Observe the assertion failure: `tcprewrite: plugins/dlt_plugins.c:462: tcpedit_dlt_cleanup: Assertion 'ctx' failed.` [ref_id=2]
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R3ER3YTFR3XIDMYEB7LMFWFTPVQALBHC/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UE3J4LKYFNKPKNSLDQK4JG36THQMQH3V/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UK2BRH3W3ECF5FDXP6QM3ZEDTHIOE4M5/mitrevendor-advisory
- github.com/appneta/tcpreplay/issues/780mitre
- github.com/appneta/tcpreplay/pull/781mitre
News mentions
0No linked articles in our index yet.