usim: View Ticket

2020-10-30
08:23		• Closed ticket [d0239da7bb]: uch11.c: heap buffer overflow plus 3 other changes artifact: 7661d4adae user: ams
2020-10-26
14:44		• Ticket [d0239da7bb]: 3 changes artifact: a92c39aa97 user: ams
14:33		• Ticket [d0239da7bb]: 3 changes artifact: d82aea96b3 user: ams
2020-10-05
15:48		• Ticket [d0239da7bb]: 5 changes artifact: 1fc3026725 user: ams
15:48		• New ticket [d0239da7bb]. artifact: 0a7ee89a06 user: ams

Ticket Hash:	d0239da7bb2a17775205b30a7bf01919cf136a63
Title:	uch11.c: heap buffer overflow
Status:	Closed	Type:	Code_Defect
Severity:	Critical	Priority:	Immediate
Subsystem:		Resolution:	Fixed
Last Modified:	2020-10-30 08:23:17 5.03 years ago	Created:	2020-10-05 15:48:42 5.09 years ago
Version Found In:

User Comments:

ams added on 2020-10-05 15:48:42:

There is a heap buffer overflow in uch11.c:

==30853==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x607000003863 at pc 0x7ffff75fe170 bp 0x7fffffffd3e0 sp 0x7fffffffcb88
READ of size 68 at 0x607000003863 thread T0
    #0 0x7ffff75fe16f  (/usr/lib/gcc/x86_64-pc-linux-gnu/9.3.0/libasan.so.5+0x9a16f)
    #1 0x5555555acb2e in chaos_poll_local /home/ams/l/usim/uch11.c:869
    #2 0x5555555acdb8 in uch11_poll /home/ams/l/usim/uch11.c:891
    #3 0x55555559e629 in run /home/ams/l/usim/ucode.c:1219
    #4 0x555555599156 in main /home/ams/l/usim/usim.c:103
    #5 0x7ffff7264c8c in __libc_start_main ../csu/libc-start.c:308
    #6 0x5555555989f9 in _start (/home/ams/l/usim/usim+0x449f9)

Code in question:

	memcpy(uch11_rcv_buffer, packet, (size_t)size * sizeof(unsigned short));

Should be able to reproduce by compiling with ASAN enabled, and then trying to LOGIN.

ams added on 2020-10-26 14:33:30:

Fixed in [chaos:1e9bef1681].

ams added on 2020-10-26 14:44:23:

Fixed in 1e9bef1681.