-
Notifications
You must be signed in to change notification settings - Fork 73
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stack buffer overflow in static void Receive(TCPSocket* socket) at tcpsocket.hpp #31
Comments
Description from recv()'s manual:
So as far as I understand from the manual, Because of we are creating a buffer with BUFFER_SIZE length and expecting only read until BUFFER_SIZE amount of bytes to the buffer from recv(), it shouldn't crash. async-sockets-cpp/async-sockets/include/tcpsocket.hpp Lines 99 to 102 in d66588d
I have tried too, I set the buffer size to 0x10 (16) and send "123456789123456789123456789" (length=27). The result was just as the manual defined. It didn't crash. "recv()" got the packages 16 by 16 until it the whole message ends. |
Commit 78641cfde398d2cd71649f6911ee1bf4953498c0 resolves this issue. Just a couple of notes:
Python3 Script
TCP Server
|
Hi!
It appears that async-sockets-cpp contains a remote buffer overflow vulnerability in static void Receive(TCPSocket* socket) at tcpsocket.hpp, around lines 102-110. The buffer overflow affects all corresponding TCP servers. The remote buffer overflow can be triggered by connecting to a socket and sending a large buffer of bytes.
async-sockets-cpp/async-sockets/include/tcpsocket.hpp
Lines 102 to 110 in d66588d
To confirm the issue, I first compiled the example tcp server from the async-sockets-cpp/examples folder with debug symbols and address sanitizer:
Makefile
Compilation
Once the server was compiled, I executed the tcp-server on port 8888:
I then created a python3 script that will connect to the tcp-server and send a large packet with around 4096 (or larger) bytes of content:
Executing the above python3 script will result in the server crashing and producing the following detailed output from address sanitizer showing the location of the stack buffer overflow:
ASAN Output
A possible fix could be to check the size of messageLength before copying data to the buffer.
Thanks!
The text was updated successfully, but these errors were encountered: