Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Thrift: fix heap-buffer-overflow #2024

Merged
merged 1 commit into from
Jun 26, 2023
Merged

Thrift: fix heap-buffer-overflow #2024

merged 1 commit into from
Jun 26, 2023

Conversation

IvanNardi
Copy link
Collaborator 

==17436==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000000918 at pc 0x555890aa73ca bp 0x7ffc7dfb8400 sp 0x7ffc7dfb7bc0
WRITE of size 320 at 0x619000000918 thread T0
    #0 0x555890aa73c9 in __interceptor_strncpy (/home/ivan/svnrepos/nDPI/fuzz/fuzz_ndpi_reader_alloc_fail+0x5683c9) (BuildId: 0e490e64c6df5c04fcbece70b3651007bf1b62a3)
    #1 0x555890d6e2f2 in thrift_set_method /home/ivan/svnrepos/nDPI/src/lib/protocols/thrift.c:123:5
    #2 0x555890d6da20 in ndpi_dissect_strict_hdr /home/ivan/svnrepos/nDPI/src/lib/protocols/thrift.c:170:3
    #3 0x555890d6d2bc in ndpi_search_thrift_tcp_udp /home/ivan/svnrepos/nDPI/src/lib/protocols/thrift.c:244:7
    #4 0x555890c659aa in check_ndpi_detection_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:5940:6
    #5 0x555890c663b7 in check_ndpi_tcp_flow_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:5988:12
    #6 0x555890c66057 in ndpi_check_flow_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:6007:12
    #7 0x555890c7719f in ndpi_internal_detection_process_packet /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:7005:15
    #8 0x555890c732f7 in ndpi_detection_process_packet /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:7172:22
    #9 0x555890b2771a in packet_processing /home/ivan/svnrepos/nDPI/fuzz/../example/reader_util.c:1714:31
    #10 0x555890b22dee in ndpi_workflow_process_packet /home/ivan/svnrepos/nDPI/fuzz/../example/reader_util.c:2431:10
    #11 0x555890af9fc2 in LLVMFuzzerTestOneInput /home/ivan/svnrepos/nDPI/fuzz/fuzz_ndpi_reader.c:141:7
    #12 0x555890a0b740 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/ivan/svnrepos/nDPI/fuzz/fuzz_ndpi_reader_alloc_fail+0x4cc740) (BuildId: 0e490e64c6df5c04fcbece70b3651007bf1b62a3)
    #13 0x5558909f5ccf in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/ivan/svnrepos/nDPI/fuzz/fuzz_ndpi_reader_alloc_fail+0x4b6ccf) (BuildId: 0e490e64c6df5c04fcbece70b3651007bf1b62a3)
    #14 0x5558909fb796 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/ivan/svnrepos/nDPI/fuzz/fuzz_ndpi_reader_alloc_fail+0x4bc796) (BuildId: 0e490e64c6df5c04fcbece70b3651007bf1b62a3)
    #15 0x555890a24382 in main (/home/ivan/svnrepos/nDPI/fuzz/fuzz_ndpi_reader_alloc_fail+0x4e5382) (BuildId: 0e490e64c6df5c04fcbece70b3651007bf1b62a3)
    #16 0x7f2349853082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #17 0x5558909f0bad in _start (/home/ivan/svnrepos/nDPI/fuzz/fuzz_ndpi_reader_alloc_fail+0x4b1bad) (BuildId: 0e490e64c6df5c04fcbece70b3651007bf1b62a3)

0x619000000918 is located 0 bytes after 920-byte region [0x619000000580,0x619000000918)
allocated by thread T0 here:

Found by oss-fuzz
See: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60070

@IvanNardi
Thrift: fix heap-buffer-overflow
bfed3f2 
```
==17436==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000000918 at pc 0x555890aa73ca bp 0x7ffc7dfb8400 sp 0x7ffc7dfb7bc0
WRITE of size 320 at 0x619000000918 thread T0
    #0 0x555890aa73c9 in __interceptor_strncpy (/home/ivan/svnrepos/nDPI/fuzz/fuzz_ndpi_reader_alloc_fail+0x5683c9) (BuildId: 0e490e64c6df5c04fcbece70b3651007bf1b62a3)
    ntop#1 0x555890d6e2f2 in thrift_set_method /home/ivan/svnrepos/nDPI/src/lib/protocols/thrift.c:123:5
    ntop#2 0x555890d6da20 in ndpi_dissect_strict_hdr /home/ivan/svnrepos/nDPI/src/lib/protocols/thrift.c:170:3
    ntop#3 0x555890d6d2bc in ndpi_search_thrift_tcp_udp /home/ivan/svnrepos/nDPI/src/lib/protocols/thrift.c:244:7
    ntop#4 0x555890c659aa in check_ndpi_detection_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:5940:6
    ntop#5 0x555890c663b7 in check_ndpi_tcp_flow_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:5988:12
    ntop#6 0x555890c66057 in ndpi_check_flow_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:6007:12
    ntop#7 0x555890c7719f in ndpi_internal_detection_process_packet /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:7005:15
    ntop#8 0x555890c732f7 in ndpi_detection_process_packet /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:7172:22
    ntop#9 0x555890b2771a in packet_processing /home/ivan/svnrepos/nDPI/fuzz/../example/reader_util.c:1714:31
    ntop#10 0x555890b22dee in ndpi_workflow_process_packet /home/ivan/svnrepos/nDPI/fuzz/../example/reader_util.c:2431:10
    ntop#11 0x555890af9fc2 in LLVMFuzzerTestOneInput /home/ivan/svnrepos/nDPI/fuzz/fuzz_ndpi_reader.c:141:7
    ntop#12 0x555890a0b740 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/ivan/svnrepos/nDPI/fuzz/fuzz_ndpi_reader_alloc_fail+0x4cc740) (BuildId: 0e490e64c6df5c04fcbece70b3651007bf1b62a3)
    ntop#13 0x5558909f5ccf in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/ivan/svnrepos/nDPI/fuzz/fuzz_ndpi_reader_alloc_fail+0x4b6ccf) (BuildId: 0e490e64c6df5c04fcbece70b3651007bf1b62a3)
    ntop#14 0x5558909fb796 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/ivan/svnrepos/nDPI/fuzz/fuzz_ndpi_reader_alloc_fail+0x4bc796) (BuildId: 0e490e64c6df5c04fcbece70b3651007bf1b62a3)
    ntop#15 0x555890a24382 in main (/home/ivan/svnrepos/nDPI/fuzz/fuzz_ndpi_reader_alloc_fail+0x4e5382) (BuildId: 0e490e64c6df5c04fcbece70b3651007bf1b62a3)
    ntop#16 0x7f2349853082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    ntop#17 0x5558909f0bad in _start (/home/ivan/svnrepos/nDPI/fuzz/fuzz_ndpi_reader_alloc_fail+0x4b1bad) (BuildId: 0e490e64c6df5c04fcbece70b3651007bf1b62a3)

0x619000000918 is located 0 bytes after 920-byte region [0x619000000580,0x619000000918)
allocated by thread T0 here:
```

Found by oss-fuzz
See: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60070
@sonarcloud
Copy link

sonarcloud bot commented Jun 24, 2023

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

@utoni utoni merged commit 3a1600f into ntop:dev Jun 26, 2023
@IvanNardi IvanNardi deleted the oss-fuzz-60070 branch June 26, 2023 09:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@utoni utoni utoni approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@IvanNardi @utoni