Ticket Hash: | d0239da7bb2a17775205b30a7bf01919cf136a63 | |||
Title: | uch11.c: heap buffer overflow | |||
Status: | Closed | Type: | Code_Defect | |
Severity: | Critical | Priority: | Immediate | |
Subsystem: | Resolution: | Fixed | ||
Last Modified: | 2020-10-30 08:23:17 | |||
Version Found In: | ||||
User Comments: | ||||
ams added on 2020-10-05 15:48:42:
(text/x-markdown)
There is a heap buffer overflow in uch11.c: ``` ==30853==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x607000003863 at pc 0x7ffff75fe170 bp 0x7fffffffd3e0 sp 0x7fffffffcb88 READ of size 68 at 0x607000003863 thread T0 #0 0x7ffff75fe16f (/usr/lib/gcc/x86_64-pc-linux-gnu/9.3.0/libasan.so.5+0x9a16f) #1 0x5555555acb2e in chaos_poll_local /home/ams/l/usim/uch11.c:869 #2 0x5555555acdb8 in uch11_poll /home/ams/l/usim/uch11.c:891 #3 0x55555559e629 in run /home/ams/l/usim/ucode.c:1219 #4 0x555555599156 in main /home/ams/l/usim/usim.c:103 #5 0x7ffff7264c8c in __libc_start_main ../csu/libc-start.c:308 #6 0x5555555989f9 in _start (/home/ams/l/usim/usim+0x449f9) ``` [Code in question](https://tumbleweed.nu/r/usim/file?ci=tip&name=uch11.c&ln=867): ``` memcpy(uch11_rcv_buffer, packet, (size_t)size * sizeof(unsigned short)); ``` Should be able to reproduce by compiling with ASAN enabled, and then trying to LOGIN. ams added on 2020-10-26 14:33:30: (text/x-markdown) Fixed in [chaos:1e9bef1681]. ams added on 2020-10-26 14:44:23: (text/x-fossil-wiki) Fixed in [chaos:1e9bef1681]. |