search

SierraWireless / octave-orp

Octave Resource Protocol
MIT License
1 stars 4 forks source link

possible overflow bugs #17

Open harryreps opened 1 year ago

harryreps commented 1 year ago

https://github.com/SierraWireless/octave-orp/blob/3ccf4406a2c0cd9f5f8c081b2bf340e575158806/clients/c/src/orpUtils.c#L141-L150

At Line 144, there is no guarantee that message->status * -1 < sizeof(statusStr), which may lead to the following bug:

==257646==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000005 (pc 0x0000005371b0 bp 0x7fff256688e0 sp 0x7fff25668058 T0)
==257646==The signal is caused by a READ memory access.
==257646==Hint: address points to the zero page.
    #0 0x5371b0 in __sanitizer::internal_strlen(char const*) (/home/parallels/octave-orp/clients/c/bin/orp+0x5371b0)
    #1 0x4c57d6 in printf_common(void*, char const*, __va_list_tag*) (/home/parallels/octave-orp/clients/c/bin/orp+0x4c57d6)
    #2 0x4c6c4e in printf (/home/parallels/octave-orp/clients/c/bin/orp+0x4c6c4e)
    #3 0x56730c in orp_MessagePrint /home/parallels/octave-orp/clients/c/src/orpUtils.c:144:17
    #4 0x5630f7 in orp_HdlcDeframe /home/parallels/octave-orp/clients/c/src/orpClient.c:446:9
harryreps commented 1 year ago

https://github.com/SierraWireless/octave-orp/blob/3ccf4406a2c0cd9f5f8c081b2bf340e575158806/clients/c/src/orpProtocol.c#L1014-L1018

At Line 1017, offset may equal pktLen - 1. Thus, pktBuf[offset + 1] equals pktBuf[pktLen], which leads to the following overflow bug when calling strtoul:

==261454==ERROR: AddressSanitizer: SEGV on unknown address 0x6060002d0000 (pc 0x7efd0d5ef17b bp 0x000000000000 sp 0x7ffe53ff0c80 T0)
==261454==The signal is caused by a READ memory access.
    #0 0x7efd0d5ef17b in __GI_____strtoul_l_internal /build/glibc-sMfBJT/glibc-2.31/stdlib/../stdlib/strtol_l.c:432:28
    #1 0x55baad in orp_ProtocolDecode_v1 /home/parallels/octave-orp/clients/c/src/orpProtocol.c:1017:42

Similar issues may happen at Line 995, Line 1006, and other places where pktBuf[offset + 1] is used.

harryreps commented 1 year ago

https://github.com/SierraWireless/octave-orp/blob/3ccf4406a2c0cd9f5f8c081b2bf340e575158806/clients/c/src/orpProtocol.c#L1054-L1059

At Line 1058, pktBuf + ORP_OFFSET_VARLENGTH may overrun the buffer.

==261221==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000d4 at pc 0x0000004c5908 bp 0x7ffd3ad375a0 sp 0x7ffd3ad36d20
READ of size 1 at 0x6020000000d4 thread T0
    #0 0x4c5907 in printf_common(void*, char const*, __va_list_tag*) (/home/parallels/octave-orp/clients/c/bin/orp+0x4c5907)
    #1 0x4c6c4e in printf (/home/parallels/octave-orp/clients/c/bin/orp+0x4c6c4e)
    #2 0x55bec8 in orp_ProtocolDecode_v1 /home/parallels/octave-orp/clients/c/src/orpProtocol.c:1056:9