heap-buffer-overflow on capture.c:923:9 #438
Comments
Kaian
added a commit
that referenced
this issue
Jun 9, 2023
|
Hi @shinibufa Above commit should fix the overflow by checking websocket packet size properly. Thanks a lot for reporting this issue! Regards |
|
You are welcome! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello, Sngrep developers! We recently ran some fuzz testing on sngrep 1.6.0 and encountered a heap-buffer-overflow bug. The ASAN report is provided below.
==909699==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200001137a at pc 0x00000049b787 bp 0x7fa0664f97f0 sp 0x7fa0664f8fb8
READ of size 4 at 0x60200001137a thread T1
#0 0x49b786 in __asan_memcpy (/home/root/sp/Fuzz/aflpp_fuzz/Sngrep/sngrep/sngrep_1/sngrep+0x49b786)
#1 0x4d5def in capture_ws_check_packet /home/root/sp/Dataset/Sngrep/sngrep-1.6.0/src/capture.c:923:9
#2 0x4d177f in parse_packet /home/root/sp/Dataset/Sngrep/sngrep-1.6.0/src/capture.c:444:9
#3 0x7fa068139466 (/lib/x86_64-linux-gnu/libpcap.so.0.8+0x23466)
#4 0x7fa068127f67 in pcap_loop (/lib/x86_64-linux-gnu/libpcap.so.0.8+0x11f67)
#5 0x4cf5c9 in capture_thread /home/root/sp/Dataset/Sngrep/sngrep-1.6.0/src/capture.c:1042:5
#6 0x7fa0680f9608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
#7 0x7fa067ea4132 in __clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
0x60200001137a is located 6 bytes to the right of 4-byte region [0x602000011370,0x602000011374)
allocated by thread T1 here:
#0 0x49c3cd in __interceptor_malloc (/home/root/sp/Fuzz/aflpp_fuzz/Sngrep/sngrep/sngrep_1/sngrep+0x49c3cd)
#1 0x4dc743 in packet_set_payload /home/root/sp/Dataset/Sngrep/sngrep-1.6.0/src/packet.c:145:27
#2 0x4d4bd5 in capture_packet_reasm_tcp /home/root/sp/Dataset/Sngrep/sngrep-1.6.0/src/capture.c:788:9
#3 0x4d1722 in parse_packet /home/root/sp/Dataset/Sngrep/sngrep-1.6.0/src/capture.c:433:21
#4 0x7fa068139466 (/lib/x86_64-linux-gnu/libpcap.so.0.8+0x23466)
Thread T1 created by T0 here:
#0 0x486a8c in pthread_create (/home/root/sp/Fuzz/aflpp_fuzz/Sngrep/sngrep/sngrep_1/sngrep+0x486a8c)
#1 0x4d712c in capture_launch_thread /home/root/sp/Dataset/Sngrep/sngrep-1.6.0/src/capture.c:1027:13
#2 0x4efb9e in main /home/root/sp/Dataset/Sngrep/sngrep-1.6.0/src/main.c:433:9
#3 0x7fa067da9082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/root/sp/Fuzz/aflpp_fuzz/Sngrep/sngrep/sngrep_1/sngrep+0x49b786) in __asan_memcpy
Shadow bytes around the buggy address:
0x0c047fffa210: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd
0x0c047fffa220: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa
0x0c047fffa230: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fa
0x0c047fffa240: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd
0x0c047fffa250: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa
=>0x0c047fffa260: fa fa 00 00 fa fa 00 fa fa fa fd fa fa fa 04[fa]
0x0c047fffa270: fa fa fd fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffa280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffa290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffa2a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffa2b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==909699==ABORTING
Command To Reproduce the bug:
./sngrep -N -I $crash_seed
The URL of crash_seed is crash_seed
Environment
Many Thanks.
The text was updated successfully, but these errors were encountered: