Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

possible overflow bugs #17

Open
harryreps opened this issue Jan 30, 2023 · 2 comments
Open

possible overflow bugs #17

harryreps opened this issue Jan 30, 2023 · 2 comments

Comments

@harryreps
Copy link

octave-orp/clients/c/src/orpUtils.c

Lines 141 to 150 in 3ccf440

default:
if (message->type & ORP_RESPONSE_MASK)
{
printf("\tStatus : %d (%s)\n", (int)message->status, statusStr[message->status * -1]);
}
else
{
printf("\tData type: %d\n", message->dataType);
}
break;

At Line 144, there is no guarantee that message->status * -1 < sizeof(statusStr), which may lead to the following bug:

==257646==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000005 (pc 0x0000005371b0 bp 0x7fff256688e0 sp 0x7fff25668058 T0)
==257646==The signal is caused by a READ memory access.
==257646==Hint: address points to the zero page.
    #0 0x5371b0 in __sanitizer::internal_strlen(char const*) (/home/parallels/octave-orp/clients/c/bin/orp+0x5371b0)
    #1 0x4c57d6 in printf_common(void*, char const*, __va_list_tag*) (/home/parallels/octave-orp/clients/c/bin/orp+0x4c57d6)
    #2 0x4c6c4e in printf (/home/parallels/octave-orp/clients/c/bin/orp+0x4c6c4e)
    #3 0x56730c in orp_MessagePrint /home/parallels/octave-orp/clients/c/src/orpUtils.c:144:17
    #4 0x5630f7 in orp_HdlcDeframe /home/parallels/octave-orp/clients/c/src/orpClient.c:446:9
@harryreps
Copy link
Author

octave-orp/clients/c/src/orpProtocol.c

Lines 1014 to 1018 in 3ccf440

case ORP_FIELD_ID_SENT_COUNT:
state = INFIELD;
errno = 0;
msg->sentCount = strtoul((const char *)&pktBuf[offset + 1], &endPtr, 0);
if (0 != errno)

At Line 1017, offset may equal pktLen - 1. Thus, pktBuf[offset + 1] equals pktBuf[pktLen], which leads to the following overflow bug when calling strtoul:

==261454==ERROR: AddressSanitizer: SEGV on unknown address 0x6060002d0000 (pc 0x7efd0d5ef17b bp 0x000000000000 sp 0x7ffe53ff0c80 T0)
==261454==The signal is caused by a READ memory access.
    #0 0x7efd0d5ef17b in __GI_____strtoul_l_internal /build/glibc-sMfBJT/glibc-2.31/stdlib/../stdlib/strtol_l.c:432:28
    #1 0x55baad in orp_ProtocolDecode_v1 /home/parallels/octave-orp/clients/c/src/orpProtocol.c:1017:42

Similar issues may happen at Line 995, Line 1006, and other places where pktBuf[offset + 1] is used.

@harryreps
Copy link
Author

octave-orp/clients/c/src/orpProtocol.c

Lines 1054 to 1059 in 3ccf440

if (ERROR == state)
{
LE_ERROR("Failed to decode: %d %d %04X %s",
msg->type, msg->dataType, msg->sequenceNum,
pktBuf + ORP_OFFSET_VARLENGTH);

At Line 1058, pktBuf + ORP_OFFSET_VARLENGTH may overrun the buffer.

==261221==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000d4 at pc 0x0000004c5908 bp 0x7ffd3ad375a0 sp 0x7ffd3ad36d20
READ of size 1 at 0x6020000000d4 thread T0
    #0 0x4c5907 in printf_common(void*, char const*, __va_list_tag*) (/home/parallels/octave-orp/clients/c/bin/orp+0x4c5907)
    #1 0x4c6c4e in printf (/home/parallels/octave-orp/clients/c/bin/orp+0x4c6c4e)
    #2 0x55bec8 in orp_ProtocolDecode_v1 /home/parallels/octave-orp/clients/c/src/orpProtocol.c:1056:9

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@harryreps