search

TencentCloud / tencentcloud-iot-explorer-sdk-embedded-c

SDK for embedded system connect and comunicate with Tencent Cloud IoT Explorer Platform
Other
115 stars 51 forks source link

代码中存在Memory Use After Free问题 #11

Open kydahe opened 3 years ago

kydahe commented 3 years ago
  1. samples/ota/ota_mqtt_sample.c https://github.com/tencentyun/qcloud-iot-explorer-sdk-embedded-c/blob/master/samples/ota/ota_mqtt_sample.c

UAF问题:在第295行已经释放了version内存,然而在299行又调用了action_value内存,此时释放后的action_value内存值是不确定的,会出现非预期行为,存在Use After Free安全问题。

static int _get_local_fw_info(char *file_name, char *local_version)
{
    ...
    char *version = LITE_json_value_of(KEY_VER, json_doc);
    char *size    = LITE_json_value_of(KEY_SIZE, json_doc);

    if ((NULL == version) || (NULL == size)) {
        if (version)
            HAL_Free(version);
        if (size)
            HAL_Free(size);
        HAL_FileClose(fp);
        return 0;
    }

    int local_size = atoi(size);
    HAL_Free(size);

    if (local_size <= 0) {
        Log_w("local info offset invalid: %d", local_size);
        HAL_Free(version);    //!!! version memory is freed
        local_size = 0;
    }

    strncpy(local_version, version, FW_VERSION_MAX_LEN);    //!!! Use of memory version after it is freed --- UAF
    HAL_Free(version);
    HAL_FileClose(fp);
    return local_size;
}
  1. sdk_src/services/asr/asr_client.c https://github.com/tencentyun/qcloud-iot-explorer-sdk-embedded-c/blob/master/sdk_src/services/asr/asr_client.c

UAF问题:在673行对asr_handle内存进行释放(HAL_Free),在674行又对asr_handle进行调用,造成Memory Use After Free安全问题。

void *IOT_Asr_Init(const char *product_id, const char *device_name, void *pTemplate_client, OnAsrFileManageEventUsrCallback usr_cb)
{
    ...
exit:

    if (rc != QCLOUD_RET_SUCCESS) {
        if (asr_handle) {
            HAL_Free(asr_handle);    //!!! asr_handle memory is released
            if (asr_handle->file_manage_handle) {    //!!! Use of memory asr_handle after it is freed
                IOT_FileManage_Destroy(asr_handle->file_manage_handle);
            }
            if (asr_handle->mutex) {
                HAL_MutexDestroy(asr_handle->mutex);
            }
            if (asr_handle->asr_req_list) {
                list_destroy(asr_handle->asr_req_list);
            }
        }
        asr_handle = NULL;
    }

    return asr_handle;
}
xupenghu commented 3 years ago

thanks! 这两个问题下一版本修复。