-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
stack-buffer-overflow at evutil_parse_sockaddr_port #1573
Comments
@xiaoge1001 Did you make sure you have the size for the out? You should make sure the output is large enough for ipv6, like |
Hi, is this saying about the value of *outlen? |
No, it's about the memcpy, check the manual of |
Sorry, I don't understand how this is directly related to the struct sockaddr_storage structure. |
I tested the 2.1.12 version and the latest version on GitHub, both have the problem. The gdb debugging result is as follows:
|
@xiaoge1001 Could you show a poc? How to reproduce. if ((int)sizeof(sin6) > *outlen)
return -1;
// ignore other codes
memcpy(out, &sin6, sizeof(sin6)); As it never copy more data to out, so it's safe. However, if you cannot make sure |
https://github.com/libevent/libevent/blob/master/evutil.c#L2379
out: |
cat crash-sanitizer-145282c4e12d06cafbc46ffe6c9f0f25e19e34da23782953cd2ccc08a535f826 |
@xiaoge1001 As I'm not familiar with crash-sanitizer or other ... cloud you change if ((int)sizeof(sin6) > *outlen)
return -1;
sin6.sin6_scope_id = if_index;
memset(out, 0, *outlen);
memcpy(out, &sin6, sizeof(sin6)); to if ((int)sizeof(sin6) > *outlen)
return -1;
sin6.sin6_scope_id = if_index;
memset(out, 0, sizeof(sin6));
memcpy(out, &sin6, sizeof(sin6)); or just remove the |
memset(out, 0, *outlen); change to memset(out, 0, sizeof(sin6)); the problem doesn't recur. Why is that? |
This is carefully constructed problematic input to test. |
As the However, I thinks it's a bug in your codes, not |
Can we add a parameter check? For example: |
In `evutil_parse_sockaddr_port`, it whould memset the out to zero, however, if `outlen` is invalid, it would be an undefined behavior. This should close libevent#1573.
This looks like a hack, there is a check for Line 2379 in 4fd07f0
To catch other errors one could use sanitizers. |
If you have some strong constructive objections, feel free to reopen. |
In `evutil_parse_sockaddr_port`, it would `memset` the `out` to zero, however, the `memset` is unnecessary before `memcpy`, and may cause undefined behavior if the `outlen` is invalid. This should close libevent#1573.
In `evutil_parse_sockaddr_port`, it would `memset` the `out` to zero, however, the `memset` is unnecessary before `memcpy`, and may cause undefined behavior if the `outlen` is invalid. This should close #1573.
I used the fuzz testing tool and found that libevent has a stack-buffer-overflow problem. The error code segment is where memcpy is called.This is a bug?
https://github.com/libevent/libevent/blob/release-2.1.12-stable/evutil.c#L2220
The text was updated successfully, but these errors were encountered: