Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

possible overflow bugs #24

Open
harryreps opened this issue Jan 30, 2023 · 2 comments
Open

possible overflow bugs #24

harryreps opened this issue Jan 30, 2023 · 2 comments

Comments

@harryreps
Copy link

sml_parser/src/sml.cpp

Lines 90 to 93 in ca76a0a

if (currentLevel < MAX_TREE_SIZE)
currentLevel++;
nodes[currentLevel] = size;
SML_TREELOG(currentLevel, "LISTSTART on level %i with %i nodes\n",

Suppose currentLevel = MAX_TREE_SIZE - 1 at Line 90. Then, currentLevel = MAX_TREE_SIZE at Line 92, which leads to the following overflow bug.

==269918==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000f11e4a at pc 0x000000558309 bp 0x7ffde1d4abf0 sp 0x7ffde1d4abe8
WRITE of size 1 at 0x000000f11e4a thread T0
    #0 0x558308 in smlNewList(unsigned char) /home/parallels/sml_parser/src/sml.cpp:92:23
    #1 0x558637 in checkMagicByte(unsigned char&) /home/parallels/sml_parser/src/sml.cpp:118:5
    #2 0x559c52 in smlState(unsigned char&) /home/parallels/sml_parser/src/sml.cpp:292:5
@harryreps
Copy link
Author

sml_parser/src/sml.cpp

Lines 366 to 369 in ca76a0a

for (y = 0; y < size; y++) {
// left shift received bytes to 64 bit signed integer
val = (val << 8) | listBuffer[i + y];
}

i+y in the code above may overrun the global buffer listBuffer, leading the following bug

==271680==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000f11dd0 at pc 0x00000055a750 bp 0x7fff25f2b3b0 sp 0x7fff25f2b3a8
READ of size 1 at 0x000000f11dd0 thread T0
    #0 0x55a74f in smlOBISByUnit(long long&, signed char&, sml_units_t) /home/parallels/sml_parser/src/sml.cpp:368:28
    #1 0x55a979 in smlOBISWh(double&) /home/parallels/sml_parser/src/sml.cpp:378:3

@harryreps
Copy link
Author

sml_parser/src/sml.cpp

Lines 303 to 318 in ca76a0a

void smlOBISManufacturer(unsigned char *str, int maxSize)
{
int i = 0, pos = 0, size = 0;
while (i < listPos) {
size = (int)listBuffer[i];
i++;
pos++;
if (pos == 6) {
/* get manufacturer at position 6 in list */
size = (size > maxSize - 1) ? maxSize : size;
memcpy(str, &listBuffer[i + 1], size);
str[size + 1] = 0;
}
i += size + 1;
}
}

i+1 and size+1 at Lines 313 and 314 may overrun the buffer and lead to the following bug:

==272722==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000f11cc6 at pc 0x000000559dcb bp 0x7ffc4eef20d0 sp 0x7ffc4eef20c8
WRITE of size 1 at 0x000000f11cc6 thread T0
    #0 0x559dca in smlOBISManufacturer(unsigned char*, int) /home/parallels/sml_parser/src/sml.cpp:314:21
    #1 0x557743 in Manufacturer() /home/parallels/sml_parser/src/main.cpp:15:23

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@harryreps