Skip to content

Unvalidated Slice Allocation via CaptureLen (pcap) #102

Description

@fako1024

Summary

The nextPacket function converts pktHeader.CaptureLen to an int without validation and passes it directly to slice allocation. A remote attacker supplies a malformed header with an oversized or negative length value. This triggers unbounded memory allocation or immediate process termination, followed by unconditional callback execution that passes stale buffer data to caller code.

Vulnerable Code

capture/pcap/pcap.go:

snapLen := int(pktHeader.CaptureLen) // Unvalidated conversion of network-controlled length
data := make([]byte, snapLen)        // Direct allocation without bounds check
s.nextPacketData(data)
callback(data, err)                  // Executes regardless of allocation error

The code passes an unchecked integer length directly to memory allocation, causing panic or resource exhaustion.

Steps to Reproduce

Prerequisites:

  • Remote network access to the target service
  • Packet crafting capability (e.g., Scapy, custom Go net package)

Step 1: Craft a packet header with CaptureLen set to a value exceeding 2^31 or negative.

Step 2: Transmit the malformed packet to the target service.

Step 3: Observe the nextPacket function executing make([]byte, snapLen) with the invalid length, triggering immediate panic or OOM, followed by stale buffer processing.

Tested: Docker container, April 2026.

Impact

  • Immediate process panic on 32-bit architectures due to invalid slice size
  • Severe memory exhaustion and OOM kill on 64-bit architectures due to unbounded allocation
  • Unconditional callback execution delivers stale buffer contents to caller logic
  • Predictable crash and potential information leak during network error conditions

Metadata

Metadata

Assignees

Labels

bugSomething isn't workingsecuritySecurity / vulnerability related issues

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions