search

OpenKMIP / libkmip

A C implementation of the KMIP specification.
Other
38 stars 25 forks source link

Segmentation fault on NULL pointer dereference #30

Closed AndrzejJakowski closed 4 years ago

AndrzejJakowski commented 4 years ago

I'm using version 0.2.0 of libkmip based off commit 5b4e67, with my custom application in which I connect to pyKMIP server using libkmip library. When pyKMIP server time is not synchronized with my server, that is my server time is in future relative to pyKMIP server time, pyKMIP server rejects requests from my server with following error: 2019-12-16 10:05:37,450 - kmip.server.engine - WARNING - Received request with future timestamp. Received timestamp: 1576515938, Current timestamp: 1576515937 I believe that it is fine for pyKMIP server to reject such request, but when my server receives response with indication of that error then app crashes. I have invesitgated that problem a little bit and found out that there is a likely problem in the libkmip library code:

#0  0x0000000000424e5b in kmip_bio_create_symmetric_key (bio=0x6649e0, template_attribute=0x7fffffffcf50, id=0x7fffffffd010, 
    id_size=0x7fffffffcff4) at kmip_bio.c:200
200     TextString *unique_identifier = pld->unique_identifier;
(gdb) list
195     
196     ResponseBatchItem resp_item = resp_m.batch_items[0];
197     result = resp_item.result_status;
198     
199     CreateResponsePayload *pld = (CreateResponsePayload *)resp_item.response_payload;
200     TextString *unique_identifier = pld->unique_identifier;
201     
202     /* KMIP text strings are not null-terminated by default. Add an extra */
203     /* character to the end of the UUID copy to make space for the null   */
204     /* terminator.                                                        */
(gdb) p pld
$5 = (CreateResponsePayload *) 0x0
(gdb) p resp_item.response_payload 
$6 = (void *) 0x0
(gdb) p resp_item
$7 = {operation = (unknown: 0), unique_batch_item_id = 0x0, result_status = KMIP_STATUS_OPERATION_FAILED, 
  result_reason = KMIP_REASON_INVALID_MESSAGE, result_message = 0x6648d0, asynchronous_correlation_value = 0x0, 
  response_payload = 0x0}
(gdb) c
Continuing.

Program terminated with signal SIGSEGV, Segmentation fault.
The program no longer exists.

Actual crash happens in line 200 of kmip_bio.c. while unique_identifier is being dereferenced. I think it should be conditionally dereferenced when resposne result_Status is success. In my scenario respons result is INVALID_MESSAGE (I believe that due to time synchronization problem that I described earlier)

(gdb) p resp_item
$7 = {operation = (unknown: 0), unique_batch_item_id = 0x0, result_status = KMIP_STATUS_OPERATION_FAILED, 
  result_reason = KMIP_REASON_INVALID_MESSAGE, result_message = 0x6648d0, asynchronous_correlation_value = 0x0, 
  response_payload = 0x0}
PeterHamilton commented 4 years ago

Hi @AndrzejJakowski, thank you for filing this issue. I completely missed the notification for this and only just noticed it; my apologies for taking so long to reply.

You are correct, the message status should be checked before the unique identifier is dereferenced. I'll have a patch for that posted soon.