Summary
The nextPacket function converts pktHeader.CaptureLen to an int without validation and passes it directly to slice allocation. A remote attacker supplies a malformed header with an oversized or negative length value. This triggers unbounded memory allocation or immediate process termination, followed by unconditional callback execution that passes stale buffer data to caller code.
Vulnerable Code
capture/pcap/pcap.go:
snapLen := int(pktHeader.CaptureLen) // Unvalidated conversion of network-controlled length
data := make([]byte, snapLen) // Direct allocation without bounds check
s.nextPacketData(data)
callback(data, err) // Executes regardless of allocation error
The code passes an unchecked integer length directly to memory allocation, causing panic or resource exhaustion.
Steps to Reproduce
Prerequisites:
- Remote network access to the target service
- Packet crafting capability (e.g., Scapy, custom Go net package)
Step 1: Craft a packet header with CaptureLen set to a value exceeding 2^31 or negative.
Step 2: Transmit the malformed packet to the target service.
Step 3: Observe the nextPacket function executing make([]byte, snapLen) with the invalid length, triggering immediate panic or OOM, followed by stale buffer processing.
Tested: Docker container, April 2026.
Impact
- Immediate process panic on 32-bit architectures due to invalid slice size
- Severe memory exhaustion and OOM kill on 64-bit architectures due to unbounded allocation
- Unconditional callback execution delivers stale buffer contents to caller logic
- Predictable crash and potential information leak during network error conditions
Summary
The nextPacket function converts pktHeader.CaptureLen to an int without validation and passes it directly to slice allocation. A remote attacker supplies a malformed header with an oversized or negative length value. This triggers unbounded memory allocation or immediate process termination, followed by unconditional callback execution that passes stale buffer data to caller code.
Vulnerable Code
capture/pcap/pcap.go:The code passes an unchecked integer length directly to memory allocation, causing panic or resource exhaustion.
Steps to Reproduce
Prerequisites:
Step 1: Craft a packet header with CaptureLen set to a value exceeding 2^31 or negative.
Step 2: Transmit the malformed packet to the target service.
Step 3: Observe the nextPacket function executing make([]byte, snapLen) with the invalid length, triggering immediate panic or OOM, followed by stale buffer processing.
Tested: Docker container, April 2026.
Impact