heap-buffer-overflow in ghazel branch

[inetic]

Can be reproduced when AddressSanitizer env options are set like this:

export ASAN_SYMBOLIZER_PATH=/usr/lib/llvm-4.0/bin/llvm-symbolizer
export MSAN_SYMBOLIZER_PATH=/usr/lib/llvm-4.0/bin/llvm-symbolizer
export ASAN_OPTIONS=strict_string_checks=1:detect_stack_use_after_return=1:check_initialization_order=1:strict_init_order=1

=================================================================
==24533==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6250000027ee at pc 0x000000449d74 bp 0x7ffeaa98bfa0 sp 0x7ffeaa98b750
READ of size 5 at 0x6250000027ee thread T0
#0 0x449d73 in StrtolFixAndCheck(void*, char const*, char**, char*, int) (/home/peter/work/dcdn-ghazel/injector+0x449d73)
#1 0x44a2a1 in __interceptor_strtoll (/home/peter/work/dcdn-ghazel/injector+0x44a2a1)
#2 0x58054f in BencEntity::ParseNum(unsigned char const*) /home/peter/work/dcdn-ghazel/libbtdht/btutils/src/bencoding.cpp:544:11
#3 0x580624 in BencEntity::SetParsed(IBencParser::PARSE_T, unsigned char const*, unsigned long, BencEntity::AllocRegime*) /home/peter/work/dcdn-ghazel/libbtdht/btutils/src/bencoding.cpp:558:5
#4 0x580d7b in BencodedDict::ResumeDict(IBencParser*, BencEntity**, BencEntity::AllocRegime*) /home/peter/work/dcdn-ghazel/libbtdht/btutils/src/bencoding.cpp:703:11
#5 0x5810ca in BencEntity::DoParse(BencEntity&, IBencParser*, BencEntity::AllocRegime*) /home/peter/work/dcdn-ghazel/libbtdht/btutils/src/bencoding.cpp:811:39
#6 0x580472 in BencEntity::Parse(unsigned char const*, BencEntity&, unsigned char const*) /home/peter/work/dcdn-ghazel/libbtdht/btutils/src/bencoding.cpp:759:7
#7 0x514ff1 in load_dht_state(BencEntity*) /home/peter/work/dcdn-ghazel/dht.cpp:71:5
#8 0x5496a1 in DhtImpl::LoadState() /home/peter/work/dcdn-ghazel/libbtdht/src/DhtImpl.cpp:3827:2
#9 0x549501 in DhtImpl::Initialize(UDPSocketInterface*, UDPSocketInterface*) /home/peter/work/dcdn-ghazel/libbtdht/src/DhtImpl.cpp:359:2
#10 0x548ce9 in DhtImpl::DhtImpl(UDPSocketInterface*, UDPSocketInterface*, void ()(unsigned char const, int), void ()(BencEntity), ExternalIPCounter*) /home/peter/work/dcdn-ghazel/libbtdht/src/Dht
Impl.cpp:246:2
#11 0x545c45 in create_dht(UDPSocketInterface*, UDPSocketInterface*, void ()(unsigned char const, int), void ()(BencEntity), ExternalIPCounter*) /home/peter/work/dcdn-ghazel/libbtdht/src/dht.cpp:3
0:29
#12 0x515a61 in dht_setup /home/peter/work/dcdn-ghazel/dht.cpp:125:15
#13 0x52580a in network_setup /home/peter/work/dcdn-ghazel/network.c:163:14
#14 0x5231bc in main /home/peter/work/dcdn-ghazel/injector.c:388:18
#15 0x7f28255f182f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
#16 0x41cec8 in _start (/home/peter/work/dcdn-ghazel/injector+0x41cec8)

0x6250000027ee is located 0 bytes to the right of 9966-byte region [0x625000000100,0x6250000027ee)
allocated by thread T0 here:
#0 0x4d5548 in __interceptor_malloc (/home/peter/work/dcdn-ghazel/injector+0x4d5548)
#1 0x514faf in load_dht_state(BencEntity*) /home/peter/work/dcdn-ghazel/dht.cpp:67:24
#2 0x5496a1 in DhtImpl::LoadState() /home/peter/work/dcdn-ghazel/libbtdht/src/DhtImpl.cpp:3827:2
#3 0x549501 in DhtImpl::Initialize(UDPSocketInterface*, UDPSocketInterface*) /home/peter/work/dcdn-ghazel/libbtdht/src/DhtImpl.cpp:359:2
#4 0x548ce9 in DhtImpl::DhtImpl(UDPSocketInterface*, UDPSocketInterface*, void ()(unsigned char const, int), void ()(BencEntity), ExternalIPCounter*) /home/peter/work/dcdn-ghazel/libbtdht/src/DhtI
mpl.cpp:246:2
#5 0x545c45 in create_dht(UDPSocketInterface*, UDPSocketInterface*, void ()(unsigned char const, int), void ()(BencEntity), ExternalIPCounter*) /home/peter/work/dcdn-ghazel/libbtdht/src/dht.cpp:30
:29
#6 0x515a61 in dht_setup /home/peter/work/dcdn-ghazel/dht.cpp:125:15
#7 0x52580a in network_setup /home/peter/work/dcdn-ghazel/network.c:163:14
#8 0x5231bc in main /home/peter/work/dcdn-ghazel/injector.c:388:18
#9 0x7f28255f182f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/peter/work/dcdn-ghazel/injector+0x449d73) in StrtolFixAndCheck(void*, char const*, char**, char*, int)
Shadow bytes around the buggy address:
0x0c4a7fff84a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff84b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff84c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff84d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff84e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4a7fff84f0: 00 00 00 00 00 00 00 00 00 00 00 00 00[06]fa fa
0x0c4a7fff8500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==24533==ABORTING

[inetic]

I believe this one has been fixed in the master branch with this commit.

[shalunov]

Not sure what's up with sanitizer, but the use of the API is correct.