You are viewing a plain text version of this content. The canonical link for it is here.
Posted to proton@qpid.apache.org by "Andrew Stitcher (JIRA)" <ji...@apache.org> on 2016/02/02 23:32:39 UTC
[jira] [Commented] (PROTON-649) pn_data_vfill buffer read overflow
on input beginning with '['
[ https://issues.apache.org/jira/browse/PROTON-649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15129201#comment-15129201 ]
Andrew Stitcher commented on PROTON-649:
----------------------------------------
This was fixed by [~dnwe] in commit dddfde20 last year. - looks like it went into 0.10.
> pn_data_vfill buffer read overflow on input beginning with '['
> --------------------------------------------------------------
>
> Key: PROTON-649
> URL: https://issues.apache.org/jira/browse/PROTON-649
> Project: Qpid Proton
> Issue Type: Bug
> Components: proton-c
> Affects Versions: 0.7, 0.8
> Reporter: Sahir Hoda
> Labels: patch
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> If the first character of the format string passed to pn_data_vfill is '[', the function will access memory at one byte preceding the format buffer. This is due to the following check:
> {code}
> case '[':
> if (*(fmt - 2) != 'T') {
> {code}
> if the format character is '[', the memory location preceding the format character is read. If the string begins with '[', however, this read is invalid.
> I didn't test with proton-0.8, but it appears from code review that the issue exists there as well.
> The following patch protects against the invalid memory access:
> {code}
> --- a/proton-c/src/codec/codec.c
> +++ b/proton-c/src/codec/codec.c
> @@ -467,6 +467,7 @@ int pn_data_intern_node(pn_data_t *data, pni_node_t *node)
> int pn_data_vfill(pn_data_t *data, const char *fmt, va_list ap)
> {
> int err;
> + const char * orig_fmt = fmt;
> while (*fmt) {
> char code = *(fmt++);
> if (!code) return 0;
> @@ -568,7 +569,7 @@ int pn_data_vfill(pn_data_t *data, const char *fmt, va_list ap)
> }
> break;
> case '[':
> - if (*(fmt - 2) != 'T') {
> + if ((fmt == (orig_fmt + 1)) || *(fmt - 2) != 'T') {
> err = pn_data_put_list(data);
> if (err) return err;
> pn_data_enter(data);
> {code}
> I ran into this issue while testing with AddressSanitizer (https://code.google.com/p/address-sanitizer/wiki/AddressSanitizer), here is the relevant output:
> {noformat}
> =================================================================
> ==15828==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f260637315f at pc 0x7f26062eb6d6 bp 0x7f2602fdaaa0 sp 0x7f2602fdaa98
> READ of size 1 at 0x7f260637315f thread T23
> #0 0x7f26062eb6d5 in pn_data_vfill qpid-proton/proton-c/src/codec/codec.c:573
> #1 0x7f26062ecabd in pn_data_fill qpid-proton/proton-c/src/codec/codec.c:667
> #2 0x7f2606319655 in pni_disposition_encode qpid-proton/proton-c/src/transport/transport.c:384
> #3 0x7f26063267de in pn_post_disp qpid-proton/proton-c/src/transport/transport.c:1392
> #4 0x7f2606328ddc in pn_process_tpwork_receiver qpid-proton/proton-c/src/transport/transport.c:1488
> #5 0x7f2606329319 in pn_process_tpwork qpid-proton/proton-c/src/transport/transport.c:1521
> #6 0x7f260632ad8e in pn_phase qpid-proton/proton-c/src/transport/transport.c:1693
> #7 0x7f260632ae71 in pn_process qpid-proton/proton-c/src/transport/transport.c:1711
> #8 0x7f260632b50e in pn_output_write_amqp qpid-proton/proton-c/src/transport/transport.c:1760
> #9 0x7f260632d26b in pn_io_layer_output_passthru qpid-proton/proton-c/src/transport/transport.c:1973
> #10 0x7f260632d26b in pn_io_layer_output_passthru qpid-proton/proton-c/src/transport/transport.c:1973
> #11 0x7f260632bf04 in transport_produce qpid-proton/proton-c/src/transport/transport.c:1802
> #12 0x7f260632e119 in pn_transport_pending qpid-proton/proton-c/src/transport/transport.c:2076
> #13 0x7f26063591f0 in pn_connector_process qpid-proton/proton-c/src/posix/driver.c:507
> ...
> 0x7f260637315f is located 52 bytes to the right of global variable '*.LC6' from 'qpid-proton/proton-c/src/transport/transport.c' (0x7f2606373120) of size 11
> '*.LC6' is ascii string '[?DL[sSC]]'
> 0x7f260637315f is located 1 bytes to the left of global variable '*.LC7' from 'qpid-proton/proton-c/src/transport/transport.c' (0x7f2606373160) of size 6
> '*.LC7' is ascii string '[ooC]'
> SUMMARY: AddressSanitizer: global-buffer-overflow qpid-proton/proton-c/src/codec/codec.c:573 pn_data_vfill
> Shadow bytes around the buggy address:
> 0x0fe540c665d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0fe540c665e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0fe540c665f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0fe540c66600: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 01 f9 f9
> 0x0fe540c66610: f9 f9 f9 f9 00 00 02 f9 f9 f9 f9 f9 00 02 f9 f9
> =>0x0fe540c66620: f9 f9 f9 f9 00 03 f9 f9 f9 f9 f9[f9]06 f9 f9 f9
> 0x0fe540c66630: f9 f9 f9 f9 00 00 00 00 00 05 f9 f9 f9 f9 f9 f9
> 0x0fe540c66640: 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9 00 00 00 00
> 0x0fe540c66650: 00 00 00 00 00 00 00 00 00 00 01 f9 f9 f9 f9 f9
> 0x0fe540c66660: 00 00 00 00 00 00 02 f9 f9 f9 f9 f9 00 00 00 00
> 0x0fe540c66670: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 04 f9 f9
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Heap right redzone: fb
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack partial redzone: f4
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Contiguous container OOB:fc
> ASan internal: fe
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)