Summary

Investigation and fix of a “double free or corruption” bug on an opensource software

Context

I am the author of the ipdecap tool, which works on pcap files (tcpdump, wireshark) and allow to remove the encapsulation layer of the traffic captured (ipsec, ipip, vlan) for analysis and troubleshooting.

The tool is written in C, tested on Linux/MacOS and uses a lot of pointers to navigate around packet headers and payload.

Double free wat?

How it that different from a segmentation fault?

Segmentation fault

Access to a memory area outside of the program allocated one

The issue

Someone reported an issue about ipdecap crashing with a forged file:

https://github.com/lpefferkorn/ipdecap/issues/5

loic@debian9:~/ipdecap.github$ ./src/ipdecap -v -i ~/ipdecap_issue5.pcapng -o /tmp/foo
Input file :    /home/loic/ipdecap_issue5.pcapng
Output file:    /tmp/foo
Config file:    (null)
Bpf filter: (null)
Processing packet 0
*** Error in `./src/ipdecap': double free or corruption (out): 0x000055b2e1bb6690 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x70bfb)[0x7f47ca22ebfb]
/lib/x86_64-linux-gnu/libc.so.6(+0x76fc6)[0x7f47ca234fc6]
/lib/x86_64-linux-gnu/libc.so.6(+0x7780e)[0x7f47ca23580e]
./src/ipdecap(+0x22d3)[0x55b2e04852d3]
/usr/lib/x86_64-linux-gnu/libpcap.so.0.8(+0x1faad)[0x7f47ca57caad]
./src/ipdecap(+0x1ab3)[0x55b2e0484ab3]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7f47ca1de2e1]
./src/ipdecap(+0x1cea)[0x55b2e0484cea]
======= Memory map: ========
55b2e0483000-55b2e0488000 r-xp 00000000 08:01 3806544                    /home/loic/ipdecap.github/src/ipdecap
55b2e0687000-55b2e0688000 r--p 00004000 08:01 3806544                    /home/loic/ipdecap.github/src/ipdecap
55b2e0688000-55b2e0689000 rw-p 00005000 08:01 3806544                    /home/loic/ipdecap.github/src/ipdecap
55b2e1bae000-55b2e1bcf000 rw-p 00000000 00:00 0                          [heap]
7f47c4000000-7f47c4021000 rw-p 00000000 00:00 0
7f47c4021000-7f47c8000000 ---p 00000000 00:00 0
7f47c9b86000-7f47c9b9c000 r-xp 00000000 08:01 1441897                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7f47c9b9c000-7f47c9d9b000 ---p 00016000 08:01 1441897                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7f47c9d9b000-7f47c9d9c000 r--p 00015000 08:01 1441897                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7f47c9d9c000-7f47c9d9d000 rw-p 00016000 08:01 1441897                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7f47c9d9d000-7f47c9db5000 r-xp 00000000 08:01 1442933                    /lib/x86_64-linux-gnu/libpthread-2.24.so
7f47c9db5000-7f47c9fb4000 ---p 00018000 08:01 1442933                    /lib/x86_64-linux-gnu/libpthread-2.24.so
7f47c9fb4000-7f47c9fb5000 r--p 00017000 08:01 1442933                    /lib/x86_64-linux-gnu/libpthread-2.24.so
7f47c9fb5000-7f47c9fb6000 rw-p 00018000 08:01 1442933                    /lib/x86_64-linux-gnu/libpthread-2.24.so
7f47c9fb6000-7f47c9fba000 rw-p 00000000 00:00 0
7f47c9fba000-7f47c9fbd000 r-xp 00000000 08:01 1442921                    /lib/x86_64-linux-gnu/libdl-2.24.so
7f47c9fbd000-7f47ca1bc000 ---p 00003000 08:01 1442921                    /lib/x86_64-linux-gnu/libdl-2.24.so
7f47ca1bc000-7f47ca1bd000 r--p 00002000 08:01 1442921                    /lib/x86_64-linux-gnu/libdl-2.24.so
7f47ca1bd000-7f47ca1be000 rw-p 00003000 08:01 1442921                    /lib/x86_64-linux-gnu/libdl-2.24.so
7f47ca1be000-7f47ca353000 r-xp 00000000 08:01 1442918                    /lib/x86_64-linux-gnu/libc-2.24.so
7f47ca353000-7f47ca553000 ---p 00195000 08:01 1442918                    /lib/x86_64-linux-gnu/libc-2.24.so
7f47ca553000-7f47ca557000 r--p 00195000 08:01 1442918                    /lib/x86_64-linux-gnu/libc-2.24.so
7f47ca557000-7f47ca559000 rw-p 00199000 08:01 1442918                    /lib/x86_64-linux-gnu/libc-2.24.so
7f47ca559000-7f47ca55d000 rw-p 00000000 00:00 0
7f47ca55d000-7f47ca59d000 r-xp 00000000 08:01 411855                     /usr/lib/x86_64-linux-gnu/libpcap.so.1.8.1
7f47ca59d000-7f47ca79c000 ---p 00040000 08:01 411855                     /usr/lib/x86_64-linux-gnu/libpcap.so.1.8.1
7f47ca79c000-7f47ca79e000 r--p 0003f000 08:01 411855                     /usr/lib/x86_64-linux-gnu/libpcap.so.1.8.1
7f47ca79e000-7f47ca79f000 rw-p 00041000 08:01 411855                     /usr/lib/x86_64-linux-gnu/libpcap.so.1.8.1
7f47ca79f000-7f47caa04000 r-xp 00000000 08:01 405669                     /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
7f47caa04000-7f47cac03000 ---p 00265000 08:01 405669                     /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
7f47cac03000-7f47cac21000 r--p 00264000 08:01 405669                     /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
7f47cac21000-7f47cac2f000 rw-p 00282000 08:01 405669                     /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
7f47cac2f000-7f47cac32000 rw-p 00000000 00:00 0
7f47cac32000-7f47cac55000 r-xp 00000000 08:01 1441898                    /lib/x86_64-linux-gnu/ld-2.24.so
7f47cae47000-7f47cae49000 rw-p 00000000 00:00 0
7f47cae51000-7f47cae55000 rw-p 00000000 00:00 0
7f47cae55000-7f47cae56000 r--p 00023000 08:01 1441898                    /lib/x86_64-linux-gnu/ld-2.24.so
7f47cae56000-7f47cae57000 rw-p 00024000 08:01 1441898                    /lib/x86_64-linux-gnu/ld-2.24.so
7f47cae57000-7f47cae58000 rw-p 00000000 00:00 0
7fffd50e3000-7fffd5104000 rw-p 00000000 00:00 0                          [stack]
7fffd516c000-7fffd516e000 r--p 00000000 00:00 0                          [vvar]
7fffd516e000-7fffd5170000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted

Seems very bad