Open harryreps opened 1 year ago
At Line 1017, offset
may equal pktLen - 1
. Thus, pktBuf[offset + 1]
equals pktBuf[pktLen]
, which leads to the following overflow bug when calling strtoul
:
==261454==ERROR: AddressSanitizer: SEGV on unknown address 0x6060002d0000 (pc 0x7efd0d5ef17b bp 0x000000000000 sp 0x7ffe53ff0c80 T0)
==261454==The signal is caused by a READ memory access.
#0 0x7efd0d5ef17b in __GI_____strtoul_l_internal /build/glibc-sMfBJT/glibc-2.31/stdlib/../stdlib/strtol_l.c:432:28
#1 0x55baad in orp_ProtocolDecode_v1 /home/parallels/octave-orp/clients/c/src/orpProtocol.c:1017:42
Similar issues may happen at Line 995, Line 1006, and other places where pktBuf[offset + 1]
is used.
At Line 1058, pktBuf + ORP_OFFSET_VARLENGTH
may overrun the buffer.
==261221==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000d4 at pc 0x0000004c5908 bp 0x7ffd3ad375a0 sp 0x7ffd3ad36d20
READ of size 1 at 0x6020000000d4 thread T0
#0 0x4c5907 in printf_common(void*, char const*, __va_list_tag*) (/home/parallels/octave-orp/clients/c/bin/orp+0x4c5907)
#1 0x4c6c4e in printf (/home/parallels/octave-orp/clients/c/bin/orp+0x4c6c4e)
#2 0x55bec8 in orp_ProtocolDecode_v1 /home/parallels/octave-orp/clients/c/src/orpProtocol.c:1056:9
https://github.com/SierraWireless/octave-orp/blob/3ccf4406a2c0cd9f5f8c081b2bf340e575158806/clients/c/src/orpUtils.c#L141-L150
At Line 144, there is no guarantee that
message->status * -1 < sizeof(statusStr)
, which may lead to the following bug: