search

mz-automation / lib60870

Official repository for lib60870 an implementation of the IEC 60870-5-101/104 protocol
https://www.mz-automation.de/communication-protocols/iec-60870-5-101-104-c-source-code-library/
GNU General Public License v3.0
431 stars 226 forks source link

SEGV found in cs104_server.c differ from #53 #54

Closed Rrooach closed 5 years ago

Rrooach commented 5 years ago

Hello, I found a SEGV inlib60870/lib60870-C/examples/cs104_server/simple_server.c. gdb trace to:

0x0000000000561b31 in CS101_ASDU_getCOT (self=) at src/iec60870/cs101/cs101_asdu.c:308 308 return (CS101_CauseOfTransmission) (self->asdu[2] & 0x3f);

where the return seems to cause an unexpected SEGV error.

Below are steps followed to reproduce crash Download latest source code from: /mz-automation/lib60870/, compiled with clang and ASANexport CFLAGS="-g -fsanitize=address" LDFLAGS="-fsanitize=address"before make

Input data crash.zip

ASAN Output 

 ASAN:DEADLYSIGNAL
=================================================================
==23999==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x00000054c69e bp 0x7f64474fbd70 sp 0x7f64474fbb10 T4)                                                                                ==23999==The signal is caused by a READ memory access.                                                                                                                                                             ==23999==Hint: address points to the zero page.
    #0 0x54c69d in InterrogationCommand_getQOI /root/temp/iec/lib60870/lib60870-C/src/iec60870/cs101/cs101_information_objects.c:5616:18
    #1 0x58aa85 in handleASDU /root/temp/iec/lib60870/lib60870-C/src/iec60870/cs104/cs104_slave.c:1724:59
    #2 0x58aa85 in handleMessage /root/temp/iec/lib60870/lib60870-C/src/iec60870/cs104/cs104_slave.c:2043
    #3 0x5882b6 in connectionHandlingThread /root/temp/iec/lib60870/lib60870-C/src/iec60870/cs104/cs104_slave.c:2410:21
    #4 0x5a0962 in destroyAutomaticThread /root/temp/iec/lib60870/lib60870-C/src/hal/thread/linux/thread_linux.c:87:2
    #5 0x7f644c5116b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #6 0x7f644b91c41c in clone /build/glibc-LK5gWL/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/temp/iec/lib60870/lib60870-C/src/iec60870/cs101/cs101_information_objects.c:5616:18 in InterrogationCommand_getQOI
Thread T4 created by T1 here:
    #0 0x431d2d in __interceptor_pthread_create (/root/temp/iec/lib60870/lib60870-C/examples/cs104_server/simple_server+0x431d2d)
    #1 0x5a05eb in Thread_start /root/temp/iec/lib60870/lib60870-C/src/hal/thread/linux/thread_linux.c:98:3
    #2 0x7f644c5116b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)

Thread T1 created by T0 here:
    #0 0x431d2d in __interceptor_pthread_create (/root/temp/iec/lib60870/lib60870-C/examples/cs104_server/simple_server+0x431d2d)
    #1 0x5a06bb in Thread_start /root/temp/iec/lib60870/lib60870-C/src/hal/thread/linux/thread_linux.c:102:3

==23999==ABORTING
mzillgith commented 5 years ago

Thanks for the info. I added some code to protect against corrupted messages. Should be fixed now. If now please reopen.