[ https://issues.apache.org/jira/browse/PROTON-649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15129201#comment-15129201 ]
Andrew Stitcher commented on PROTON-649: ---------------------------------------- This was fixed by [~dnwe] in commit dddfde20 last year. - looks like it went into 0.10. > pn_data_vfill buffer read overflow on input beginning with '[' > -------------------------------------------------------------- > > Key: PROTON-649 > URL: https://issues.apache.org/jira/browse/PROTON-649 > Project: Qpid Proton > Issue Type: Bug > Components: proton-c > Affects Versions: 0.7, 0.8 > Reporter: Sahir Hoda > Labels: patch > Original Estimate: 1h > Remaining Estimate: 1h > > If the first character of the format string passed to pn_data_vfill is '[', > the function will access memory at one byte preceding the format buffer. This > is due to the following check: > {code} > case '[': > if (*(fmt - 2) != 'T') { > {code} > if the format character is '[', the memory location preceding the format > character is read. If the string begins with '[', however, this read is > invalid. > I didn't test with proton-0.8, but it appears from code review that the issue > exists there as well. > The following patch protects against the invalid memory access: > {code} > --- a/proton-c/src/codec/codec.c > +++ b/proton-c/src/codec/codec.c > @@ -467,6 +467,7 @@ int pn_data_intern_node(pn_data_t *data, pni_node_t *node) > int pn_data_vfill(pn_data_t *data, const char *fmt, va_list ap) > { > int err; > + const char * orig_fmt = fmt; > while (*fmt) { > char code = *(fmt++); > if (!code) return 0; > @@ -568,7 +569,7 @@ int pn_data_vfill(pn_data_t *data, const char *fmt, > va_list ap) > } > break; > case '[': > - if (*(fmt - 2) != 'T') { > + if ((fmt == (orig_fmt + 1)) || *(fmt - 2) != 'T') { > err = pn_data_put_list(data); > if (err) return err; > pn_data_enter(data); > {code} > I ran into this issue while testing with AddressSanitizer > (https://code.google.com/p/address-sanitizer/wiki/AddressSanitizer), here is > the relevant output: > {noformat} > ================================================================= > ==15828==ERROR: AddressSanitizer: global-buffer-overflow on address > 0x7f260637315f at pc 0x7f26062eb6d6 bp 0x7f2602fdaaa0 sp 0x7f2602fdaa98 > READ of size 1 at 0x7f260637315f thread T23 > #0 0x7f26062eb6d5 in pn_data_vfill > qpid-proton/proton-c/src/codec/codec.c:573 > #1 0x7f26062ecabd in pn_data_fill > qpid-proton/proton-c/src/codec/codec.c:667 > #2 0x7f2606319655 in pni_disposition_encode > qpid-proton/proton-c/src/transport/transport.c:384 > #3 0x7f26063267de in pn_post_disp > qpid-proton/proton-c/src/transport/transport.c:1392 > #4 0x7f2606328ddc in pn_process_tpwork_receiver > qpid-proton/proton-c/src/transport/transport.c:1488 > #5 0x7f2606329319 in pn_process_tpwork > qpid-proton/proton-c/src/transport/transport.c:1521 > #6 0x7f260632ad8e in pn_phase > qpid-proton/proton-c/src/transport/transport.c:1693 > #7 0x7f260632ae71 in pn_process > qpid-proton/proton-c/src/transport/transport.c:1711 > #8 0x7f260632b50e in pn_output_write_amqp > qpid-proton/proton-c/src/transport/transport.c:1760 > #9 0x7f260632d26b in pn_io_layer_output_passthru > qpid-proton/proton-c/src/transport/transport.c:1973 > #10 0x7f260632d26b in pn_io_layer_output_passthru > qpid-proton/proton-c/src/transport/transport.c:1973 > #11 0x7f260632bf04 in transport_produce > qpid-proton/proton-c/src/transport/transport.c:1802 > #12 0x7f260632e119 in pn_transport_pending > qpid-proton/proton-c/src/transport/transport.c:2076 > #13 0x7f26063591f0 in pn_connector_process > qpid-proton/proton-c/src/posix/driver.c:507 > ... > 0x7f260637315f is located 52 bytes to the right of global variable '*.LC6' > from 'qpid-proton/proton-c/src/transport/transport.c' (0x7f2606373120) of > size 11 > '*.LC6' is ascii string '[?DL[sSC]]' > 0x7f260637315f is located 1 bytes to the left of global variable '*.LC7' from > 'qpid-proton/proton-c/src/transport/transport.c' (0x7f2606373160) of size 6 > '*.LC7' is ascii string '[ooC]' > SUMMARY: AddressSanitizer: global-buffer-overflow > qpid-proton/proton-c/src/codec/codec.c:573 pn_data_vfill > Shadow bytes around the buggy address: > 0x0fe540c665d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0fe540c665e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0fe540c665f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0fe540c66600: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 01 f9 f9 > 0x0fe540c66610: f9 f9 f9 f9 00 00 02 f9 f9 f9 f9 f9 00 02 f9 f9 > =>0x0fe540c66620: f9 f9 f9 f9 00 03 f9 f9 f9 f9 f9[f9]06 f9 f9 f9 > 0x0fe540c66630: f9 f9 f9 f9 00 00 00 00 00 05 f9 f9 f9 f9 f9 f9 > 0x0fe540c66640: 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9 00 00 00 00 > 0x0fe540c66650: 00 00 00 00 00 00 00 00 00 00 01 f9 f9 f9 f9 f9 > 0x0fe540c66660: 00 00 00 00 00 00 02 f9 f9 f9 f9 f9 00 00 00 00 > 0x0fe540c66670: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 04 f9 f9 > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Heap right redzone: fb > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack partial redzone: f4 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Contiguous container OOB:fc > ASan internal: fe > {noformat} -- This message was sent by Atlassian JIRA (v6.3.4#6332)