Null Pointer Dereference in light_get_next_packet via Missing Section Header Block

[Benzhang2004]

Bug description

Describe the bug
We are a team of security researchers at UC Berkeley. We recently identified a bug in the latest version of the PcapPlusPlus library. In 3rdParty/LightPcapNg/LightPcapNg/src/light_pcapng_ext.c, a null pointer dereference exception is triggered on line 419, in the light_get_next_packet function. The cause appears to originate from line 55, where _create_file_info returns NULL due to a missing or invalid Section Header Block. This NULL is then stored as pcapng->file_info without validation during light_pcapng_open_read, and later accessed directly without null-checks, specifically at line 419.

Error trace

=================================================================
==18==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000048 (pc 0x5597ab5c3ba6 bp 0x7ffc47821670 sp 0x7ffc478215a0 T0)
==18==The signal is caused by a READ memory access.
==18==Hint: address points to the zero page.
SCARINESS: 10 (null-deref)
    #0 0x5597ab5c3ba6 in light_get_next_packet /src/PcapPlusPlus/3rdParty/LightPcapNg/LightPcapNg/src/light_pcapng_ext.c:419:46
    #1 0x5597ab59880c in pcpp::PcapNgFileReaderDevice::getNextPacket(pcpp::RawPacket&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) /src/PcapPlusPlus/Pcap++/src/PcapFileDevice.cpp:421:8
    #2 0x5597ab59a835 in pcpp::PcapNgFileReaderDevice::getNextPacket(pcpp::RawPacket&) /src/PcapPlusPlus/Pcap++/src/PcapFileDevice.cpp:462:10
    #3 0x5597ab58e9a9 in pcpp::IFileReaderDevice::getNextPackets(pcpp::PointerVector<pcpp::RawPacket, std::__1::default_delete<pcpp::RawPacket>>&, int) /src/PcapPlusPlus/Pcap++/src/PcapFileDevice.cpp:135:22
    #4 0x5597ab57c43d in LLVMFuzzerTestOneInput /src/PcapPlusPlus/Tests/Fuzzers/FuzzTarget.cpp:46:14
    #5 0x5597ab430110 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #6 0x5597ab41b385 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #7 0x5597ab420e1f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #8 0x5597ab44c0c2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #9 0x7f5f3794d082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 5792732f783158c66fb4f3756458ca24e46e827d)
    #10 0x5597ab41356d in _start (/out/FuzzTargetNg+0x1cb56d)

DEDUP_TOKEN: light_get_next_packet--pcpp::PcapNgFileReaderDevice::getNextPacket(pcpp::RawPacket&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&)--pcpp::PcapNgFileReaderDevice::getNextPacket(pcpp::RawPacket&)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /src/PcapPlusPlus/3rdParty/LightPcapNg/LightPcapNg/src/light_pcapng_ext.c:419:46 in light_get_next_packet
==18==ABORTING

Reproducing

$OUT/FuzzTargetNg poc

You may find the original input that caused this error below, with sha256 checksum 8b1ab3843ccb43994e6b38d762da07982692c8ee64f3dbbc7365193e9b945d3e.
poc.zip

PcapPlusPlus versions tested on

PcapPlusPlus master branch

Other PcapPlusPlus version (if applicable)

No response

Operating systems tested on

Linux

Other operation systems (if applicable)

No response

Compiler version

CMake 3.29.2

Packet capture backend (if applicable)

No response

[seladb]

Thank you for reporting this issue @Benzhang2004 ! Since you already identified the issue, will you consider opening a PR to fix it?