Closed widgetii closed 3 years ago
Out of bound access has been detected by ASan:
19:47:47 [ rtsp] listener_cb@119 New RTSP client from: 192.168.28.107:64136 ================================================================= ==8322==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff3de17301 at pc 0x7f81d04c42f8 bp 0x7fff3de17150 sp 0x7fff3de168d8 WRITE of size 2 at 0x7fff3de17301 thread T0 #0 0x7f81d04c42f7 in scanf_common /build/gcc/src/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors_format.inc:342 #1 0x7f81d04c5193 in __interceptor___isoc99_vsscanf /build/gcc/src/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1534 #2 0x7f81d04c52af in __interceptor___isoc99_sscanf /build/gcc/src/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1557 #3 0x55fc5a7c122e in SmolRTSP_RTSPVersion_deserialize /home/dima/git/majestic/thirdparty/smolrtsp/src/rtsp_version.c:52 #4 0x55fc5a7bfec9 in SmolRTSP_RequestLine_deserialize /home/dima/git/majestic/thirdparty/smolrtsp/src/request_line.c:35 #5 0x55fc5a7bd1a7 in SmolRTSP_Request_deserialize /home/dima/git/majestic/thirdparty/smolrtsp/src/request.c:24 #6 0x55fc5a75f239 in RTSPClient_on_data /home/dima/git/majestic/src/rtsp/rtsp_client.c:274 #7 0x55fc5a76464d in RTSPClient_consume_data /home/dima/git/majestic/src/rtsp/rtsp_client.c:261 #8 0x55fc5a75ce04 in rtsp_on_read /home/dima/git/majestic/src/rtsp/rtsp.c:50 #9 0x7f81d03aeda7 in bufferevent_run_readcb_ (/usr/lib/libevent-2.1.so.7+0x18da7) #10 0x7f81d03b3e24 (/usr/lib/libevent-2.1.so.7+0x1de24) #11 0x7f81d03ba16d (/usr/lib/libevent-2.1.so.7+0x2416d) #12 0x7f81d03baa7e in event_base_loop (/usr/lib/libevent-2.1.so.7+0x24a7e) #13 0x55fc5a730171 in main /home/dima/git/majestic/src/main.c:220 #14 0x7f81d0070b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24) #15 0x55fc5a71a20d (/home/dima/git/majestic/build/majestic+0x3420d) Address 0x7fff3de17301 is located in stack of thread T0 at offset 33 in frame #0 0x55fc5a7c1029 in SmolRTSP_RTSPVersion_deserialize /home/dima/git/majestic/thirdparty/smolrtsp/src/rtsp_version.c:33 This frame has 3 object(s): [32, 33) 'major_int' (line 48) <== Memory access at offset 33 overflows this variable [48, 49) 'minor_int' (line 48) [64, 128) 'fmt' (line 49) HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow /build/gcc/src/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors_format.inc:342 in scanf_common Shadow bytes around the buggy address: 0x100067bbae10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100067bbae20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100067bbae30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100067bbae40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100067bbae50: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 =>0x100067bbae60:[01]f2 01 f2 00 00 00 00 00 00 00 00 f3 f3 f3 f3 0x100067bbae70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100067bbae80: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 0x100067bbae90: f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 00 00 00 00 0x100067bbaea0: 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 0x100067bbaeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==8322==ABORTING
It turns out it happens in rtsp_version.c:52 while calling sscanf(major.ptr, fmt, &major_int) and actual values are:
sscanf(major.ptr, fmt, &major_int)
major.ptr
'` (multiline string values between '')
fmt
25824
It's weird because sscanf is used mostly with format string in the first argument (not with actual data received from a client)
Closed by https://github.com/Hirrolot/smolrtsp/commit/5c8de25306c7c596cd20d8552ac99409e23664ad.
hirrolot
commented
3 years ago hirrolot
commented
3 years ago
Out of bound access has been detected by ASan:
It turns out it happens in rtsp_version.c:52 while calling
sscanf(major.ptr, fmt, &major_int)and actual values are:major.ptris `'1.0 CSeq: 2 User-Agent: LibVLC/3.0.8 (LIVE555 Streaming Media v2016.11.28)'` (multiline string values between '')
fmtis25824It's weird because sscanf is used mostly with format string in the first argument (not with actual data received from a client)