| Ticket Hash: | d0239da7bb2a17775205b30a7bf01919cf136a63 | |||
| Title: | uch11.c: heap buffer overflow | |||
| Status: | Closed | Type: | Code_Defect | |
| Severity: | Critical | Priority: | Immediate | |
| Subsystem: | Resolution: | Fixed | ||
| Last Modified: | 2020-10-30 08:23:17 | |||
| Version Found In: | ||||
| User Comments: | ||||
ams added on 2020-10-05 15:48:42:
(text/x-markdown)
There is a heap buffer overflow in uch11.c:
```
==30853==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x607000003863 at pc 0x7ffff75fe170 bp 0x7fffffffd3e0 sp 0x7fffffffcb88
READ of size 68 at 0x607000003863 thread T0
#0 0x7ffff75fe16f (/usr/lib/gcc/x86_64-pc-linux-gnu/9.3.0/libasan.so.5+0x9a16f)
#1 0x5555555acb2e in chaos_poll_local /home/ams/l/usim/uch11.c:869
#2 0x5555555acdb8 in uch11_poll /home/ams/l/usim/uch11.c:891
#3 0x55555559e629 in run /home/ams/l/usim/ucode.c:1219
#4 0x555555599156 in main /home/ams/l/usim/usim.c:103
#5 0x7ffff7264c8c in __libc_start_main ../csu/libc-start.c:308
#6 0x5555555989f9 in _start (/home/ams/l/usim/usim+0x449f9)
```
[Code in question](https://tumbleweed.nu/r/usim/file?ci=tip&name=uch11.c&ln=867):
```
memcpy(uch11_rcv_buffer, packet, (size_t)size * sizeof(unsigned short));
```
Should be able to reproduce by compiling with ASAN enabled, and then trying to LOGIN.
ams added on 2020-10-26 14:33:30: (text/x-markdown) Fixed in [chaos:1e9bef1681]. ams added on 2020-10-26 14:44:23: (text/x-fossil-wiki) Fixed in [chaos:1e9bef1681]. | ||||