Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AddressSanitizer: heap-buffer-overflow in option_test #2

Closed
ClausKlein opened this issue Feb 8, 2023 · 0 comments · Fixed by #6
Closed

AddressSanitizer: heap-buffer-overflow in option_test #2

ClausKlein opened this issue Feb 8, 2023 · 0 comments · Fixed by #6
Assignees
@papperlapapp
Labels
bug Something isn't working

Comments

@ClausKlein
Copy link
Owner

ClausKlein commented Feb 8, 2023
edited
Loading

While working on PR #1 I found this:

bash-3.2$ make
cmake --build /Users/clausklein/Workspace/cpp/.build-netkit-tftp-Debug
ninja: no work to do.
bash-3.2$ cd ../.build-netkit-tftp-Debug/
bash-3.2$ bin/option_test 
option_test(12295,0x7ff8517d48c0) malloc: nano zone abandoned due to inability to preallocate reserved vm space.
/tmp/tftpboot/testfile.dat segsize:1047 tsize:12345678910 timeout: 33
/tmp/tftpboot/testfile.dat segsize:32768 tsize:0 timeout: 2000
/tmp/tftpboot/testfile.dat segsize:1024 tsize:0 timeout: 10
/tmp/tftpboot/minimal.dat segsize:65464 tsize:0 timeout: 1000
=================================================================
==12295==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000001fa1 at pc 0x00010cdbb81b bp 0x7ff7b3276750 sp 0x7ff7b3276748
READ of size 1 at 0x603000001fa1 thread T0
    #0 0x10cdbb81a in tftpd::tftp(std::__1::vector<char, std::__1::allocator<char> > const&, __sFILE*&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&, std::__1::vector<char, std::__1::allocator<char> >&) tftpd_utils.cpp:136
    #1 0x10cc92dc0 in main option_test.cpp:112
    #2 0x7ff80db7130f  (<unknown module>)

0x603000001fa1 is located 0 bytes to the right of 17-byte region [0x603000001f90,0x603000001fa1)
allocated by thread T0 here:
    #0 0x10d60e20d in wrap__Znwm+0x7d (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x5c20d)
    #1 0x10ccab99e in void* std::__1::__libcpp_operator_new<unsigned long>(unsigned long) new:235
    #2 0x10ccab738 in std::__1::__libcpp_allocate(unsigned long, unsigned long) new:261
    #3 0x10ccab5d5 in std::__1::allocator<char>::allocate(unsigned long) allocator.h:108
    #4 0x10ccaaf06 in std::__1::allocator_traits<std::__1::allocator<char> >::allocate(std::__1::allocator<char>&, unsigned long) allocator_traits.h:262
    #5 0x10ccad6f8 in std::__1::vector<char, std::__1::allocator<char> >::__vallocate(unsigned long) vector:1015
    #6 0x10ccad4a2 in std::__1::vector<char, std::__1::allocator<char> >::vector<char const*>(char const*, std::__1::enable_if<(__is_cpp17_forward_iterator<char const*>::value) && (is_constructible<char, std::__1::iterator_traits<char const*>::reference>::value), char const*>::type) vector:1245
    #7 0x10cc937fc in std::__1::vector<char, std::__1::allocator<char> >::vector<char const*>(char const*, std::__1::enable_if<(__is_cpp17_forward_iterator<char const*>::value) && (is_constructible<char, std::__1::iterator_traits<char const*>::reference>::value), char const*>::type) vector:1238
    #8 0x10cc92d9a in main option_test.cpp:112
    #9 0x7ff80db7130f  (<unknown module>)

SUMMARY: AddressSanitizer: heap-buffer-overflow tftpd_utils.cpp:136 in tftpd::tftp(std::__1::vector<char, std::__1::allocator<char> > const&, __sFILE*&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&, std::__1::vector<char, std::__1::allocator<char> >&)
Shadow bytes around the buggy address:
  0x1c06000003a0: fd fd fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
  0x1c06000003b0: 00 00 00 00 fa fa fd fd fd fd fa fa 00 00 00 02
  0x1c06000003c0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x1c06000003d0: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x1c06000003e0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fa
=>0x1c06000003f0: fa fa 00 00[01]fa fa fa fa fa fa fa fa fa fa fa
  0x1c0600000400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0600000410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0600000420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0600000430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0600000440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12295==ABORTING
Abort trap: 6
bash-3.2$
@ClausKlein ClausKlein added the bug Something isn't working label Feb 8, 2023
@ClausKlein ClausKlein pinned this issue Feb 8, 2023
@ClausKlein ClausKlein linked a pull request Sep 14, 2023 that will close this issue
Feature/runtime dependency set #6
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@papperlapapp papperlapapp

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Feature/runtime dependency set ClausKlein/netkit-tftp
2 participants
@ClausKlein @papperlapapp