hcxtools: infinite loop in hcxpcaptool

I’ve been playing around with honggfuzz and found a testcase causing hcxpcaptool to be stuck in an infinite loop.

Steps to reproduce:

$ cat loop.b64
Cg0NCmAAAABNPCsaAQAAAP//////////AgAGAHg4Nl82NAAAAwAYAExpbnV4IDUuMS41LWFyY2gx
LTItQVJDSAQAEQBoY3hkdW1wdG9vbCA1LjEuNQAAAAAAAABgAAAABQAAAAAAAAAAYAAAAAUAAAAA
AAAAAGAAAAAFAAAAKAAAAH8AAAD//wAAAgAJAHdscDBzMjB1MQAAAAAAAA==

$ base64 -d loop.b64 > loop.bin
$ ./hcxpcaptool -o /dev/null loop.bin

reading from loop.bin

This uses up 100% CPU and never ends.

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Reactions: 1
  • Comments: 39 (28 by maintainers)

Most upvoted comments

I managed to add a libfuzzer test. After I clean up my fuzzing code a bit I’ll push it somewhere to look at and maybe integrate it into oss-fuzz hongfuzz was able to test ~30k cases per second on a i7-5600U notebook CPU. This found another infinite loop and a crash due to a stack buffer overflow.

$ cat /tmp/loop.b64 
Cg0NCmAAAABNPCsaAQAAAP/////8////AgAGAHg4Nl83NAAAAwAYAExpZHV4IDUuMQAAAAJyY2gx
LTIGAAAASAQAEQBoY3hrdW1wdG9vYCA1LjEuNQAAAAAAAABgAAAABgAAABwAAAB/AAYAZAAAAAAA
AP86AAAAhAEAAAIAAAAPAAAAAAAAAGAAAAAGAAAAHAAAAH8ABgBkAKfy/////zgAAACEAQAAAgAA
AGgfAC00NDY1Mxb8+r8ABgAAAAYA

$ base64 -d loop.b64 > loop.bin
$ ./hcxpcaptool -o /dev/null /tmp/loop.bin 

reading from loop.bin
1300000 packets processed - be patient!
^C

$ cat crash.b64 
Cg0NCmAAAABNPNQaAQABAAAAAAAAgN//AgAGAHg4Nl82NgAAAwAXAExpbnV4IDUuMS41LWFyY2gx
rTItQVJDSJzyQABoY3hkdW1wdG9vbCA1LjEuNQAAAC02MDA0MDY1NdMBAAAAAAAAgN//AgAGAHg4
Nl82NgAAAwAXAExpbnV4IDUuMS41LWFyY2gxrTItQVJDSJzyQABoY3hkdW1wdG9vbCA1LjEuNQAA
AC02MDA0MDY1NdMBAAAAAAA=

$ base64 -d crash.b64 > crash.bin
$ ./hcxpcaptool -o /dev/null crash.bin 

reading from crash.bin
*** stack smashing detected ***: <unknown> terminated
Aborted (core dumped)
+1
hops on Jun 15, 2019
Read more comments on GitHub
← hcxdumptool: rtw_8821ce / rtw_8822be (frame injection failed): 101 errors during runtime
hcxtools: not able to install  →