search

goToMain / libosdp

Implementation of IEC 60839-11-5 OSDP (Open Supervised Device Protocol); provides a C library with support for C++, Rust and Python3
https://libosdp.sidcha.dev
Apache License 2.0
130 stars 69 forks source link

SEGV on unknown address #82

Closed qingkaishi closed 2 years ago

qingkaishi commented 2 years ago

https://github.com/goToMain/libosdp/blob/a3eb794b4599094ab6d6c57b3117c2fafdb9a22e/src/osdp_file.c#L34-L67

In the above code, Line 38 get the pointer struct osdp_file *f = TO_FILE(pd), which may be null, but is dereference at many places in the subsequent code. Particularly, at Line 66, we will call f->ops.read, leading to segment fault.

In the file osdp_file.c, there are 7 places, we have the code struct osdp_file *f = TO_FILE(pd), three of them (Line 221, 235, 255) have a null check, i.e., if (!f) return -1. Hence, there is no problem.

However, the ones in other four places, Line 38, 87, 124, 181, do not have such null checks and may lead to the segment fault.

The above idea is validated via address sanitizer:

==313203==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x00000056b98c bp 0x7ffe24220ef0 sp 0x7ffe24220b00 T0)
==313203==The signal is caused by a READ memory access.
==313203==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
    #0 0x56b98c in osdp_file_cmd_tx_decode /home/parallels/libosdp/src/osdp_file.c:144:7
    #1 0x55b1a1 in pd_decode_command /home/parallels/libosdp/src/osdp_pd.c:526:9
    #2 0x554669 in pd_decode_packet /home/parallels/libosdp/src/osdp_pd.c:951:9
sidcha commented 2 years ago

Thanks for the report, fixed all four occurrences.