Giters

ClausKlein / netkit-tftp

This c++ tftpd is based on netkit-tftp-0.17 for Linux.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

AddressSanitizer: heap-buffer-overflow in option_test

ClausKlein opened this issue · comments

commented

While working on PR #1 I found this:

bash-3.2$ make
cmake --build /Users/clausklein/Workspace/cpp/.build-netkit-tftp-Debug
ninja: no work to do.
bash-3.2$ cd ../.build-netkit-tftp-Debug/
bash-3.2$ bin/option_test 
option_test(12295,0x7ff8517d48c0) malloc: nano zone abandoned due to inability to preallocate reserved vm space.
/tmp/tftpboot/testfile.dat segsize:1047 tsize:12345678910 timeout: 33
/tmp/tftpboot/testfile.dat segsize:32768 tsize:0 timeout: 2000
/tmp/tftpboot/testfile.dat segsize:1024 tsize:0 timeout: 10
/tmp/tftpboot/minimal.dat segsize:65464 tsize:0 timeout: 1000
=================================================================
==12295==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000001fa1 at pc 0x00010cdbb81b bp 0x7ff7b3276750 sp 0x7ff7b3276748
READ of size 1 at 0x603000001fa1 thread T0
    #0 0x10cdbb81a in tftpd::tftp(std::__1::vector<char, std::__1::allocator<char> > const&, __sFILE*&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&, std::__1::vector<char, std::__1::allocator<char> >&) tftpd_utils.cpp:136
    #1 0x10cc92dc0 in main option_test.cpp:112
    #2 0x7ff80db7130f  (<unknown module>)

0x603000001fa1 is located 0 bytes to the right of 17-byte region [0x603000001f90,0x603000001fa1)
allocated by thread T0 here:
    #0 0x10d60e20d in wrap__Znwm+0x7d (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x5c20d)
    #1 0x10ccab99e in void* std::__1::__libcpp_operator_new<unsigned long>(unsigned long) new:235
    #2 0x10ccab738 in std::__1::__libcpp_allocate(unsigned long, unsigned long) new:261
    #3 0x10ccab5d5 in std::__1::allocator<char>::allocate(unsigned long) allocator.h:108
    #4 0x10ccaaf06 in std::__1::allocator_traits<std::__1::allocator<char> >::allocate(std::__1::allocator<char>&, unsigned long) allocator_traits.h:262
    #5 0x10ccad6f8 in std::__1::vector<char, std::__1::allocator<char> >::__vallocate(unsigned long) vector:1015
    #6 0x10ccad4a2 in std::__1::vector<char, std::__1::allocator<char> >::vector<char const*>(char const*, std::__1::enable_if<(__is_cpp17_forward_iterator<char const*>::value) && (is_constructible<char, std::__1::iterator_traits<char const*>::reference>::value), char const*>::type) vector:1245
    #7 0x10cc937fc in std::__1::vector<char, std::__1::allocator<char> >::vector<char const*>(char const*, std::__1::enable_if<(__is_cpp17_forward_iterator<char const*>::value) && (is_constructible<char, std::__1::iterator_traits<char const*>::reference>::value), char const*>::type) vector:1238
    #8 0x10cc92d9a in main option_test.cpp:112
    #9 0x7ff80db7130f  (<unknown module>)

SUMMARY: AddressSanitizer: heap-buffer-overflow tftpd_utils.cpp:136 in tftpd::tftp(std::__1::vector<char, std::__1::allocator<char> > const&, __sFILE*&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&, std::__1::vector<char, std::__1::allocator<char> >&)
Shadow bytes around the buggy address:
  0x1c06000003a0: fd fd fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
  0x1c06000003b0: 00 00 00 00 fa fa fd fd fd fd fa fa 00 00 00 02
  0x1c06000003c0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x1c06000003d0: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x1c06000003e0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fa
=>0x1c06000003f0: fa fa 00 00[01]fa fa fa fa fa fa fa fa fa fa fa
  0x1c0600000400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0600000410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0600000420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0600000430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0600000440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12295==ABORTING
Abort trap: 6
bash-3.2$