CVE-2023-27786
Description
An issue found in TCPprep v.4.4.3 allows a remote attacker to cause a denial of service via the macinstring function.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A NULL pointer dereference in tcpreplay's macinstring function allows remote attackers to cause a denial of service via an empty MAC string.
Vulnerability
A NULL pointer dereference vulnerability exists in the macinstring() function in mac.c at line 120 of TCPprep v.4.4.3. When tcpprep is used with an empty MAC string (e.g., -e "") and Source MAC split mode, strlen(tempstr) is called on a pointer that becomes NULL after tokenizing an empty string, leading to a segmentation fault [1][2].
Exploitation
An attacker must be able to supply an empty string to the -e (MAC address) option of tcpprep. The tool must be invoked with a valid .pcap file and a cachefile target. The attacker does not need any special privileges; the command can be executed locally or, if tcpprep is exposed as a network service, remotely. The crash is reliably triggered with the command ./tcpprep -e "" --pcap=test.pcap --cachefile=/dev/null [2].
Impact
Successful exploitation causes a segmentation fault (NULL pointer dereference), aborting the tcpprep process. This results in a denial of service, preventing the tool from correctly processing packet capture files or generating cache files. The impact is limited to availability; confidentiality and integrity are not compromised.
Mitigation
A fix was proposed in a pull request that addresses the strtok_r usage issue [1]. Users should update to tcpreplay version 4.4.4 or later, which includes the patch. The vulnerability is not known to be listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. As a workaround, avoid passing an empty MAC string to tcpprep.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7- TCPprep/TCPprepdescription
- osv-coords5 versionspkg:rpm/opensuse/tcpreplay&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/tcpreplay&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/tcpreplay&distro=openSUSE%20Tumbleweedpkg:rpm/suse/tcpreplay&distro=SUSE%20Package%20Hub%2015%20SP4pkg:rpm/suse/tcpreplay&distro=SUSE%20Package%20Hub%2015%20SP5
< 4.4.4-bp155.2.3.1+ 4 more
- (no CPE)range: < 4.4.4-bp155.2.3.1
- (no CPE)range: < 4.4.4-bp155.2.3.1
- (no CPE)range: < 4.4.4-1.1
- (no CPE)range: < 4.4.4-bp155.2.3.1
- (no CPE)range: < 4.4.4-bp155.2.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation in macinstring() allows a NULL pointer dereference when an empty MAC string is passed."
Attack vector
An attacker can trigger a NULL pointer dereference by passing an empty MAC string (`""`) via the `-e` option to `tcpprep` when operating in Source MAC split mode [ref_id=1]. The program reads a provided pcap file (e.g., `test.pcap`) and processes packets, but when `macinstring()` receives an empty string, it attempts to call `strlen()` on a pointer that leads to a read at address zero, causing a segmentation fault [ref_id=1]. No authentication or special network access is required — the attacker only needs to invoke the binary with the crafted argument.
Affected code
The vulnerability is in the `macinstring()` function in `mac.c` at line 120 [ref_id=1]. The function is called from `process_raw_packets()` in `tcpprep.c` at line 450, which is invoked by `main()` at line 144 [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory [ref_id=1] identifies the root cause as a missing check for an empty MAC string in `macinstring()` at `mac.c:120`. The fix would require validating that the input string is non-empty before proceeding with `strlen()` and subsequent processing, returning an error or handling the empty case gracefully instead of dereferencing a NULL pointer.
Preconditions
- inputThe attacker must be able to execute the tcpprep binary with command-line arguments.
- inputThe attacker must provide an empty string as the MAC argument via the -e option.
- inputA valid pcap file must be supplied (e.g., test.pcap from the tcpreplay codebase).
Reproduction
Run the command: `$ ./tcpprep -e "" --pcap=./test.pcap --cachefile=/dev/null` using a pcap file from the tcpreplay codebase (e.g., `test/test.pcap`) [ref_id=1]. The program will crash with a segmentation fault due to a NULL pointer dereference in `macinstring()` at `mac.c:120` [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R3ER3YTFR3XIDMYEB7LMFWFTPVQALBHC/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UE3J4LKYFNKPKNSLDQK4JG36THQMQH3V/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UK2BRH3W3ECF5FDXP6QM3ZEDTHIOE4M5/mitrevendor-advisory
- github.com/appneta/tcpreplay/issues/782mitre
- github.com/appneta/tcpreplay/pull/783mitre
News mentions
0No linked articles in our index yet.