search

pbiering / ipv6calc

ipv6calc
https://www.deepspace6.net/projects/ipv6calc.html
Other
45 stars 15 forks source link

Potential buffer overflows identified by GCC #43

Closed paravoid closed 11 months ago

paravoid commented 11 months ago
Build environment GCC: `gcc (Debian 13.2.0-7) 13.2.0` ``` *** CFLAGS_EXTRA =-fPIC -Wformat -Werror -Werror=format-security -Wsizeof-array-argument -Wextra -Werror=format-truncation=0 -Werror=char-subscripts -Wno-deprecated-declarations *** LDFLAGS_EXTRA = *** LDFLAGS_EXTRA_STATIC = *** LD_LIBRARY_PATH = *** LD_LIBRARY_PATH_BASIC = *** CPPFLAGS = -Wdate-time -DFORTIFY_SOURCE=2 *** CFLAGS =-g -O2 -ffile-prefix-map=/root/2023-12-ipv6calc/ipv6calc=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection *** LDFLAGS =-Wl,-z,relro -Wl,-z,now ```

Results in the following build warnings, that honestly seem pretty serious (overflows etc.):

libipv6calc_db_wrapper_GeoIP2.c ``` gcc -c libipv6calc_db_wrapper_GeoIP2.c -Wdate-time -D_FORTIFY_SOURCE=2 -g -O2 -ffile-prefix-map=/root/2023-12-ipv6calc/ipv6calc=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -D__EXTENSIONS__ -fPIC -D__EXTENSIONS__ -fPIC -I../../lib -I../.. libipv6calc_db_wrapper_GeoIP2.c: In function ‘libipv6calc_db_wrapper_GeoIP2_dbfilename’: libipv6calc_db_wrapper_GeoIP2.c:580:51: warning: ‘%s’ directive output may be truncated writing up to 4095 bytes into a region of size 1024 [-Wformat-truncation=] 580 | snprintf(tempstring, sizeof(tempstring), "%s/%s", geoip2_db_dir, libipv6calc_db_wrapper_GeoIP2_db_file_desc[i].filename); | ^~ ~~~~~~~~~~~~~ In file included from /usr/include/stdio.h:906, from libipv6calc_db_wrapper_GeoIP2.c:11: In function ‘snprintf’, inlined from ‘libipv6calc_db_wrapper_GeoIP2_dbfilename’ at libipv6calc_db_wrapper_GeoIP2.c:580:2: /usr/include/x86_64-linux-gnu/bits/stdio2.h:54:10: note: ‘__builtin___snprintf_chk’ output 2 or more bytes (assuming 4097) into a destination of size 1024 54 | return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 55 | __glibc_objsize (__s), __fmt, | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 56 | __va_arg_pack ()); | ~~~~~~~~~~~~~~~~~ libipv6calc_db_wrapper_GeoIP2.c: In function ‘libipv6calc_db_wrapper_GeoIP2_database_info’: libipv6calc_db_wrapper_GeoIP2.c:789:53: warning: ‘, created: ’ directive output may be truncated writing 11 bytes into a region of size between 1 and 1024 [-Wformat-truncation=] 789 | snprintf(tempstring, sizeof(tempstring), "%s, created: %s", resultstring, datastring); | ^~~~~~~~~~~ In function ‘snprintf’, inlined from ‘libipv6calc_db_wrapper_GeoIP2_database_info’ at libipv6calc_db_wrapper_GeoIP2.c:789:2: /usr/include/x86_64-linux-gnu/bits/stdio2.h:54:10: note: ‘__builtin___snprintf_chk’ output between 12 and 2058 bytes into a destination of size 1024 54 | return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 55 | __glibc_objsize (__s), __fmt, | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 56 | __va_arg_pack ()); | ~~~~~~~~~~~~~~~~~ libipv6calc_db_wrapper_GeoIP2.c: In function ‘libipv6calc_db_wrapper_GeoIP2_wrapper_db_info_used’: libipv6calc_db_wrapper_GeoIP2.c:542:77: warning: ‘ / ’ directive output may be truncated writing 3 bytes into a region of size between 1 and 1024 [-Wformat-truncation=] 542 | snprintf(tempstring, sizeof(tempstring), "%s / %s", geoip2_db_usage_string, info); | ^~~ In function ‘snprintf’, inlined from ‘libipv6calc_db_wrapper_GeoIP2_wrapper_db_info_used’ at libipv6calc_db_wrapper_GeoIP2.c:542:5: /usr/include/x86_64-linux-gnu/bits/stdio2.h:54:10: note: ‘__builtin___snprintf_chk’ output 4 or more bytes (assuming 1027) into a destination of size 1024 54 | return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 55 | __glibc_objsize (__s), __fmt, | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 56 | __va_arg_pack ()); | ~~~~~~~~~~~~~~~~~ ```
libipv6calc_db_wrapper_DBIP2.c ``` gcc -c libipv6calc_db_wrapper_DBIP2.c -Wdate-time -D_FORTIFY_SOURCE=2 -g -O2 -ffile-prefix-map=/root/2023-12-ipv6calc/ipv6calc=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -D__EXTENSIONS__ -fPIC -D__EXTENSIONS__ -fPIC -I../../lib -I../.. libipv6calc_db_wrapper_DBIP2.c: In function ‘libipv6calc_db_wrapper_DBIP2_dbfilename’: libipv6calc_db_wrapper_DBIP2.c:561:51: warning: ‘%s’ directive output may be truncated writing up to 4095 bytes into a region of size 1024 [-Wformat-truncation=] 561 | snprintf(tempstring, sizeof(tempstring), "%s/%s", dbip2_db_dir, libipv6calc_db_wrapper_DBIP2_db_file_desc[i].filename); | ^~ ~~~~~~~~~~~~ In file included from /usr/include/stdio.h:906, from libipv6calc_db_wrapper_DBIP2.c:11: In function ‘snprintf’, inlined from ‘libipv6calc_db_wrapper_DBIP2_dbfilename’ at libipv6calc_db_wrapper_DBIP2.c:561:2: /usr/include/x86_64-linux-gnu/bits/stdio2.h:54:10: note: ‘__builtin___snprintf_chk’ output 2 or more bytes (assuming 4097) into a destination of size 1024 54 | return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 55 | __glibc_objsize (__s), __fmt, | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 56 | __va_arg_pack ()); | ~~~~~~~~~~~~~~~~~ libipv6calc_db_wrapper_DBIP2.c: In function ‘libipv6calc_db_wrapper_DBIP2_database_info’: libipv6calc_db_wrapper_DBIP2.c:770:53: warning: ‘, created: ’ directive output may be truncated writing 11 bytes into a region of size between 1 and 1024 [-Wformat-truncation=] 770 | snprintf(tempstring, sizeof(tempstring), "%s, created: %s", resultstring, datastring); | ^~~~~~~~~~~ In function ‘snprintf’, inlined from ‘libipv6calc_db_wrapper_DBIP2_database_info’ at libipv6calc_db_wrapper_DBIP2.c:770:2: /usr/include/x86_64-linux-gnu/bits/stdio2.h:54:10: note: ‘__builtin___snprintf_chk’ output between 12 and 2058 bytes into a destination of size 1024 54 | return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 55 | __glibc_objsize (__s), __fmt, | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 56 | __va_arg_pack ()); | ~~~~~~~~~~~~~~~~~ libipv6calc_db_wrapper_DBIP2.c: In function ‘libipv6calc_db_wrapper_DBIP2_wrapper_db_info_used’: libipv6calc_db_wrapper_DBIP2.c:523:77: warning: ‘ / ’ directive output may be truncated writing 3 bytes into a region of size between 1 and 1024 [-Wformat-truncation=] 523 | snprintf(tempstring, sizeof(tempstring), "%s / %s", dbip2_db_usage_string, info); | ^~~ In function ‘snprintf’, inlined from ‘libipv6calc_db_wrapper_DBIP2_wrapper_db_info_used’ at libipv6calc_db_wrapper_DBIP2.c:523:5: /usr/include/x86_64-linux-gnu/bits/stdio2.h:54:10: note: ‘__builtin___snprintf_chk’ output 4 or more bytes (assuming 1027) into a destination of size 1024 54 | return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 55 | __glibc_objsize (__s), __fmt, | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 56 | __va_arg_pack ()); | ~~~~~~~~~~~~~~~~~ ```
libipv6calc_db_wrapper_BuiltIn.c ``` gcc -c libipv6calc_db_wrapper_BuiltIn.c -Wdate-time -D_FORTIFY_SOURCE=2 -g -O2 -ffile-prefix-map=/root/2023-12-ipv6calc/ipv6calc=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -D__EXTENSIONS__ -fPIC -D__EXTENSIONS__ -fPIC -I../../lib -I../.. libipv6calc_db_wrapper_BuiltIn.c: In function ‘libipv6calc_db_wrapper_BuiltIn_wrapper_db_info_used’: libipv6calc_db_wrapper_BuiltIn.c:299:77: warning: ‘ / ’ directive output may be truncated writing 3 bytes into a region of size between 1 and 1024 [-Wformat-truncation=] 299 | snprintf(tempstring, sizeof(tempstring), "%s / %s", builtin_db_usage_string, info); | ^~~ In file included from /usr/include/stdio.h:906, from libipv6calc_db_wrapper_BuiltIn.c:12: In function ‘snprintf’, inlined from ‘libipv6calc_db_wrapper_BuiltIn_wrapper_db_info_used’ at libipv6calc_db_wrapper_BuiltIn.c:299:5: /usr/include/x86_64-linux-gnu/bits/stdio2.h:54:10: note: ‘__builtin___snprintf_chk’ output between 4 and 2050 bytes into a destination of size 1024 54 | return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 55 | __glibc_objsize (__s), __fmt, | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 56 | __va_arg_pack ()); | ~~~~~~~~~~~~~~~~~ ```
libipv6calc.c ``` gcc -c libipv6calc.c -Wdate-time -D_FORTIFY_SOURCE=2 -g -O2 -ffile-prefix-map=/root/2023-12-ipv6calc/ipv6calc=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -D__EXTENSIONS__ -fPIC -D__EXTENSIONS__ -fPIC -I. -I../ -I../databases/lib/ -I../md5 libipv6calc.c: In function ‘string_to_reverse_dotted’: libipv6calc.c:147:62: warning: ‘__builtin___snprintf_chk’ output may be truncated before the last format character [-Wformat-truncation=] 147 | snprintf(tempstring, sizeof(tempstring), "%s.", resultstring); | ^ In file included from /usr/include/stdio.h:906, from libipv6calc.c:11: In function ‘snprintf’, inlined from ‘string_to_reverse_dotted’ at libipv6calc.c:147:3: /usr/include/x86_64-linux-gnu/bits/stdio2.h:54:10: note: ‘__builtin___snprintf_chk’ output between 2 and 1025 bytes into a destination of size 1024 54 | return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 55 | __glibc_objsize (__s), __fmt, | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 56 | __va_arg_pack ()); | ~~~~~~~~~~~~~~~~~ libipv6calc.c: In function ‘string_to_reverse_dotted’: libipv6calc.c:158:72: warning: ‘__builtin___snprintf_chk’ output may be truncated before the last format character [-Wformat-truncation=] 158 | snprintf(tempstring, sizeof(tempstring), "%s.%s", token, resultstring); | ^ In function ‘snprintf’, inlined from ‘string_to_reverse_dotted’ at libipv6calc.c:158:4: /usr/include/x86_64-linux-gnu/bits/stdio2.h:54:10: note: ‘__builtin___snprintf_chk’ output 2 or more bytes (assuming 1025) into a destination of size 1024 54 | return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 55 | __glibc_objsize (__s), __fmt, | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 56 | __va_arg_pack ()); | ~~~~~~~~~~~~~~~~~ libipv6calc.c: In function ‘string_to_reverse_dotted’: libipv6calc.c:166:62: warning: ‘__builtin___snprintf_chk’ output may be truncated before the last format character [-Wformat-truncation=] 166 | snprintf(tempstring, sizeof(tempstring), ".%s", resultstring); | ^ In function ‘snprintf’, inlined from ‘string_to_reverse_dotted’ at libipv6calc.c:166:3: /usr/include/x86_64-linux-gnu/bits/stdio2.h:54:10: note: ‘__builtin___snprintf_chk’ output between 2 and 1025 bytes into a destination of size 1024 54 | return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 55 | __glibc_objsize (__s), __fmt, | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 56 | __va_arg_pack ()); | ~~~~~~~~~~~~~~~~~ ```
ipv6calc.c ``` gcc -c ipv6calc.c -Wdate-time -D_FORTIFY_SOURCE=2 -g -O2 -ffile-prefix-map=/root/2023-12-ipv6calc/ipv6calc=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -I../md5 -I../ -I../lib/ -I../databases/lib/ ipv6calc.c: In function ‘main’: ipv6calc.c:1942:95: warning: ‘%s’ directive output may be truncated writing up to 16383 bytes into a region of size 1024 [-Wformat-truncation=] 1942 | snprintf(resultstring, sizeof(resultstring), "%s %s", input1, resultstring3); | ^~ In file included from /usr/include/stdio.h:906, from ipv6calc.c:12: In function ‘snprintf’, inlined from ‘main’ at ipv6calc.c:1942:7: /usr/include/x86_64-linux-gnu/bits/stdio2.h:54:10: note: ‘__builtin___snprintf_chk’ output 2 or more bytes (assuming 16385) into a destination of size 1024 54 | return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 55 | __glibc_objsize (__s), __fmt, | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 56 | __va_arg_pack ()); | ~~~~~~~~~~~~~~~~~ ipv6calc.c: In function ‘main’: ipv6calc.c:1940:95: warning: ‘%s’ directive output may be truncated writing up to 16383 bytes into a region of size 1024 [-Wformat-truncation=] 1940 | snprintf(resultstring, sizeof(resultstring), "%s uncomparable", input1); | ^~ In function ‘snprintf’, inlined from ‘main’ at ipv6calc.c:1940:7: /usr/include/x86_64-linux-gnu/bits/stdio2.h:54:10: note: ‘__builtin___snprintf_chk’ output between 14 and 16397 bytes into a destination of size 1024 54 | return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 55 | __glibc_objsize (__s), __fmt, | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 56 | __va_arg_pack ()); | ~~~~~~~~~~~~~~~~~ ipv6calc.c: In function ‘main’: ipv6calc.c:1935:87: warning: ‘%s’ directive output may be truncated writing up to 16383 bytes into a region of size 1024 [-Wformat-truncation=] 1935 | snprintf(resultstring, sizeof(resultstring), "%s %s", linebuffer, resultstring3); | ^~ ~~~~~~~~~~ In function ‘snprintf’, inlined from ‘main’ at ipv6calc.c:1935:6: /usr/include/x86_64-linux-gnu/bits/stdio2.h:54:10: note: ‘__builtin___snprintf_chk’ output 2 or more bytes (assuming 16385) into a destination of size 1024 54 | return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 55 | __glibc_objsize (__s), __fmt, | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 56 | __va_arg_pack ()); | ~~~~~~~~~~~~~~~~~ ipv6calc.c: In function ‘main’: ipv6calc.c:1933:87: warning: ‘%s’ directive output may be truncated writing up to 16383 bytes into a region of size 1024 [-Wformat-truncation=] 1933 | snprintf(resultstring, sizeof(resultstring), "%s uncomparable", linebuffer); | ^~ ~~~~~~~~~~ In function ‘snprintf’, inlined from ‘main’ at ipv6calc.c:1933:6: /usr/include/x86_64-linux-gnu/bits/stdio2.h:54:10: note: ‘__builtin___snprintf_chk’ output between 14 and 16397 bytes into a destination of size 1024 54 | return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 55 | __glibc_objsize (__s), __fmt, | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 56 | __va_arg_pack ()); | ~~~~~~~~~~~~~~~~~ ipv6calc.c: In function ‘main’: ipv6calc.c:1731:79: warning: ‘%s’ directive output may be truncated writing up to 16383 bytes into a region of size 1024 [-Wformat-truncation=] 1731 | snprintf(resultstring, sizeof(resultstring), "%s", linebuffer); | ^~ ~~~~~~~~~~ In function ‘snprintf’, inlined from ‘main’ at ipv6calc.c:1731:5: /usr/include/x86_64-linux-gnu/bits/stdio2.h:54:10: note: ‘__builtin_snprintf’ output between 1 and 16384 bytes into a destination of size 1024 54 | return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 55 | __glibc_objsize (__s), __fmt, | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 56 | __va_arg_pack ()); | ~~~~~~~~~~~~~~~~~ ```
pbiering commented 11 months ago

fixed with https://github.com/pbiering/ipv6calc/commit/a343f65aa1ed704afdf0540ab385c4567d8338da, required some rework