pcap_create could crash by passing null errbuf

[PromptFuzz]

Hi,
when fuzzing the libpcap, I found pcap_create could be easily crashed when passing it with a NULL errbuf.

Your documentation in pcap_create haven't said that the errbuf cannot be a NULL pointer.
So I just assume that if no custom error buf is provided, the error message will be delivered to stderr or other places.

However, after I fuzzed the pcap_create("eth0", nullptr) for some rounds until some operations could cause the pcap_create failed, the pcap_create will crash if it was passed with NULL errbuf.

My environment:
CentOS 5.4

The PoC program is like that:

extern "C" int LLVMFuzzerTestOneInput_4(const uint8_t* data, size_t size) {
	
    pcap_t *handle = pcap_create("eth0", nullptr);
    ...//some operations to change the environment
    pcap_close(handle);
    return 0;
}

==707630==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fc9bb8d0f81 bp 0x000000000000 sp 0x7ffeeb206180 T0)
==707630==The signal is caused by a WRITE memory access.
==707630==Hint: address points to the zero page.
    #0 0x7fc9bb8d0f81  (/lib/x86_64-linux-gnu/libc.so.6+0x8bf81) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
    #1 0x55c4d98bcb1a in vsnprintf /work/llvm/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1746:1
    #2 0x55c4d9a8037c in pcapint_vfmt_errmsg_for_errno /libpcap/src/libpcap/fmtutils.c:287:8
    #3 0x55c4d9a8020f in pcapint_fmt_errmsg_for_errno /libpcap/src/libpcap/fmtutils.c:275:2
    #4 0x55c4d9a23e6a in iface_get_ts_types /libpcap/src/libpcap/pcap-linux.c
    #5 0x55c4d9a23e6a in pcapint_create_interface /libpcap/src/libpcap/pcap-linux.c:354:6
    #6 0x55c4d99fcffc in pcap_create /libpcap/src/libpcap/pcap.c:2412:6
    #7 0x55c4d9969cf1 in LLVMFuzzerTestOneInput_4 /id_000004.cc:62:22

[infrastation]

In that and similar man pages the clause "errbuf is assumed to be able to hold at least PCAP_ERRBUF_SIZE chars." implies the pointer must not be NULL.

On a related note, if you manage to find a valid vulnerability, please do as the issue template says. The public bug tracker is not for vulnerability reports.

[guyharris]

Your documentation in pcap_create haven't said that the errbuf cannot be a NULL pointer.

In ec46f8e, I've updated the documentation for several functions that have an errbuf argument to indicate that errbuf is a buffer large enough to hold at least PCAP_ERRBUF_SIZE chars.

I've also, in a30f356, added annotation to routines that have such an argument to state that it must not be null, so passing a null pointer constant, at least, will get a compiler warning from GCC and Clang (other than maybe really old versions of GCC and possibly fairly old versions of Clang). While I was at it, I also added a "the return value must be used" annotation for routines such as pcap_activate() where the return code is a success/failure/warning? indication, to discourage programmers writing code that doesn't check whether pcap_activate() succeeded.

So I just assume that if no custom error buf is provided, the error message will be delivered to stderr or other places.

No, libraries should never write to the standard error or some other place that

1. might also be used by the code using libpcap in a fashion such that library routines that send the error message there might interfere with that code;
2. is not easily accessible to the code using libpcap;

so we don't do that. I will audit the code some more to make sure there are no places remaining where libpcap spews to te standard error.