New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Heap-buffer-overflow was found at ./src/core/ddsc/src/dds_stream.c:310:9 #501
Comments
|
This: is trying to It looks to me like your fuzzer flipped two bytes in the length:
but regardless of how that length field got to have this value that is way too large, the cause of the crash is that it did not validate the input is well-formed. What changed between 0.1.0 and 0.5.0 is a rewrite of the input processing (see 3067a69), precisely because of insufficient input validation. Now, as soon as it receives the sample from the network it validates the length fields and string terminators embedded in it and rejects it if anything is wrong. The result is that you only get a |
|
This was assigned CVE-2020-18735. |
|
Hi @nluedtke! Thanks for creating (or letting us know) |
I used Peach Fuzzer to fuzz the HelloworldSubscriber at ./build/bin/HelloworldSubscriber.
After a period of time, A heap-buffer-overflow crash was found by AddressSanitizer. Next is the full crash information.
And this problem was found in version v0.1.0.
I guess the problem was in function dds_realloc().
I did the similar fuzz operation on version v0.5.1 too, but the new version does not have this vulnerability.
But I found some similar code around the vulnerability position in the new version.
I am not sure why v0.1.0 has the vulnerability and v0.5.1 doe not have it.
The text was updated successfully, but these errors were encountered: