Heap buffer overflow on reporting invalid command

mannol commented 7 years ago
Try to execute invalid command like so: ASD ayy ayy
ASAN reports:
=================================================================
==24006==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ed13 at pc 0x000000497fb1 bp 0x7ffcf6e12600 sp 0x7ffcf6e11db0
READ of size 4 at 0x60200000ed13 thread T0
    #0 0x497fb0 in printf_common(void*, char const*, __va_list_tag*) (/home/mannol/Documents/Programming/Closenger/Debug-Desktop/Closenger+0x497fb0)
    #1 0x49a17d in __interceptor_vsnprintf (/home/mannol/Documents/Programming/Closenger/Debug-Desktop/Closenger+0x49a17d)
    #2 0x6fa622 in addReplyErrorFormat /home/mannol/Documents/Programming/Closenger/rlite/Debug-Desktop/../src/hirlite.c:290
    #3 0x6fce8a in rliteAppendCommandClient /home/mannol/Documents/Programming/Closenger/rlite/Debug-Desktop/../src/hirlite.c:1039
    #4 0x6fd6ae in rlitevAppendCommand /home/mannol/Documents/Programming/Closenger/rlite/Debug-Desktop/../src/hirlite.c:1119
    #5 0x6fd881 in rlitevCommand /home/mannol/Documents/Programming/Closenger/rlite/Debug-Desktop/../src/hirlite.c:1150
    #6 0x72b003 in rlite::command(char const*, ...) /home/mannol/Documents/Programming/Closenger/rlite/Debug-Desktop/../rlite.cpp:27
    #7 0x4fdc54 in main /home/mannol/Documents/Programming/Closenger/Debug-Desktop/../main.cpp:66:5
    #8 0x7fc15c75d3f0 in __libc_start_main /build/glibc-DfDqKW/glibc-2.24/csu/../csu/libc-start.c:291
    #9 0x42b6a9 in _start (/home/mannol/Documents/Programming/Closenger/Debug-Desktop/Closenger+0x42b6a9)

0x60200000ed13 is located 0 bytes to the right of 3-byte region [0x60200000ed10,0x60200000ed13)
allocated by thread T0 here:
    #0 0x4ca030 in realloc (/home/mannol/Documents/Programming/Closenger/Debug-Desktop/Closenger+0x4ca030)
    #1 0x6faead in rlitevFormatCommand /home/mannol/Documents/Programming/Closenger/rlite/Debug-Desktop/../src/hirlite.c:477
    #2 0x6fd697 in rlitevAppendCommand /home/mannol/Documents/Programming/Closenger/rlite/Debug-Desktop/../src/hirlite.c:1115
    #3 0x6fd881 in rlitevCommand /home/mannol/Documents/Programming/Closenger/rlite/Debug-Desktop/../src/hirlite.c:1150
    #4 0x72b003 in rlite::command(char const*, ...) /home/mannol/Documents/Programming/Closenger/rlite/Debug-Desktop/../rlite.cpp:27
    #5 0x4fdc54 in main /home/mannol/Documents/Programming/Closenger/Debug-Desktop/../main.cpp:66:5
    #6 0x7fc15c75d3f0 in __libc_start_main /build/glibc-DfDqKW/glibc-2.24/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/mannol/Documents/Programming/Closenger/Debug-Desktop/Closenger+0x497fb0) in printf_common(void*, char const*, __va_list_tag*)
Shadow bytes around the buggy address:
  0x0c047fff9d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d70: fa fa fa fa fa fa fa fa fa fa 03 fa fa fa fd fa
  0x0c047fff9d80: fa fa fd fa fa fa fd fd fa fa fd fd fa fa 03 fa
  0x0c047fff9d90: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
=>0x0c047fff9da0: fa fa[03]fa fa fa fd fa fa fa fd fa fa fa 00 00
  0x0c047fff9db0: fa fa 00 01 fa fa 00 fa fa fa 00 00 fa fa 03 fa
  0x0c047fff9dc0: fa fa 04 fa fa fa 00 01 fa fa 00 02 fa fa 00 04
  0x0c047fff9dd0: fa fa 00 07 fa fa 00 07 fa fa 00 00 fa fa 00 00
  0x0c047fff9de0: fa fa 00 07 fa fa 00 04 fa fa 00 00 fa fa 00 05
  0x0c047fff9df0: fa fa 00 00 fa fa 00 00 fa fa 00 07 fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==24006==ABORTING
seppo0010 commented 7 years ago
Fixed in be0996934f61d44fa52079b149032664557a9f3f. Thanks.
mannol commented 7 years ago
Fix confirmed, thank you!
seppo0010 / rlite

Heap buffer overflow on reporting invalid command #28
