Out of bound access/write

[ghost]

@venjun2000 commented on Jan 2, 2019, 8:37 AM UTC:

Issue location :

https://github.com/boostorg/asio/blob/boost-1.61.0/include/boost/asio/generic/detail/endpoint.hpp#L120 Out-of-bounds write /DeliSpace/TegraP1Lin.Rel/External/Boost/inc/boost/asio/local/detail/impl/endpoint.ipp init

https://github.com/boostorg/asio/blob/boost-1.61.0/include/boost/asio/generic/detail/impl/endpoint.ipp#L87 Out-of-bounds access DeliSpace/TegraP1Lin.Rel/External/Boost/inc/boost/asio/generic/detail/impl/endpoint.ipp init

Coverity cathces and reports this as a major exception. Please advise..

This issue was moved by chriskohlhoff from boostorg/asio#186.

[ghost]

@venjun2000 commented on Jan 3, 2019, 6:06 AM UTC:

https://github.com/boostorg/asio/blob/boost-1.61.0/include/boost/asio/local/detail/impl/endpoint.ipp#L102

void endpoint::init(const char* path_name, std::size_t path_length) { __1. Condition pathlength > 107UL / sizeof (this->data_.local.sunpath) - 1 /, taking true branch. 2. cond_at_least: Checking path_length > 107UL implies that path_length is at least 108 on the true branch.__ if (pathlength > sizeof(data.local.sun_path) - 1) { // The buffer is not large enough to store this address. boost::system::error_code ec(boost::asio::error::name_too_long); boost::asio::detail::throwerror(ec); } using namespace std; // For memcpy. data.local = boost::asio::detail::sockaddr_untype(); data.local.sun_family = AF_UNIX; CID 5279614: Copy into fixed size buffer (BUFFERSIZE) [select issue] memcpy(data.local.sun_path, path_name, path_length); pathlength = path_length; // NUL-terminate normal path names. Names that start with a NUL are in the // UNIX domain protocol's "abstract namespace" and are not NUL-terminated. 3. Condition pathlength > 0, taking true branch. 4. Condition this->data.local.sun_path[0] == 0, taking true branch. if (pathlength > 0 && data.local.sunpath[0] == 0) CID 5279356 (#1 of 1): Out-of-bounds write (OVERRUN) **5. overrun-local: Overrunning array this->data.local.sun_path of 108 bytes at byte offset 108 using index pathlength (which evaluates to 108).** data.local.sun_path[path_length] = 0; }

[ghost]

@venjun2000 commented on Jan 3, 2019, 6:20 AM UTC:

https://github.com/boostorg/asio/blob/boost-1.61.0/include/boost/asio/generic/detail/impl/endpoint.ipp#L87

87void endpoint::init(const void* sock_addr, 88 std::size_t sock_addr_size, int sock_protocol) 89{ 1. Condition sock_addrsize > 128UL / sizeof (boost::asio::detail::sockaddr_storagetype) /, taking true branch. 2. cond_at_least: Checking sock_addr_size > 128UL implies that sock_addr_size is at least 129 on the true branch. 90 if (sock_addr_size > sizeof(boost::asio::detail::sockaddr_storage_type)) 91 { 92 boost::system::error_code ec(boost::asio::error::invalid_argument); 93 boost::asio::detail::throw_error(ec); 94 } 95 96 using namespace std; // For memset and memcpy. 3. writeconstant: Write the value 0 into this->data.generic.ss_family. 4. writeconstant: Write the value 0 into this->data.generic.__ss_align. 97 memset(&data_.generic, 0, sizeof(boost::asio::detail::sockaddr_storage_type));

CID 5279357 (#1 of 1): Out-of-bounds access (OVERRUN) 5. overrun-buffer-arg: Overrunning struct type _ZN5boost4asio6detail21sockaddr_storage_typeE of 128 bytes by passing it to a function which accesses it at byte offset 128 using argument sock_addr_size (which evaluates to 129). 98 memcpy(&data_.generic, sock_addr, sock_addrsize); 99 100 size = sock_addrsize; 101 protocol = sock_protocol; 102}

[ghost]

@vinniefalco commented on Jan 6, 2019, 3:03 PM UTC:

Do you have a minimal, compiling program that causes the coverity error?