You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Feb 12, 2019. It is now read-only.
I try to fuzz router and find crashes, the debug info indicated that the crash is caused at config.c:180.
The debug infor is as below:
(gdb) r -c FUZZ/afl-output/crashes/id:000004,sig:11,src:000165,op:havoc,rep:16
Starting program: /home/stly/Documents/FuzzTarget/jabberd2/router/router -c FUZZ/afl-output/crashes/id:000004,sig:11,src:000165,op:havoc,rep:16
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
__strncpy_sse2_unaligned ()
at ../sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S:241
241 ../sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S: No such file or directory.
(gdb) bt
#0 __strncpy_sse2_unaligned ()
at ../sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S:241 #1 0x000000000042a434 in config_load_with_id (c=,
file=, id=) at config.c:180 #2 0x6565656565656565 in ?? () #3 0x6565656565656565 in ?? () #4 0x6565656565656565 in ?? () #5 0x6565656565656565 in ?? () #6 0x6565656565656565 in ?? () #7 0x6565656565656565 in ?? () #8 0x6565656565656565 in ?? () #9 0x6565656565656565 in ?? () #10 0x6565656565656565 in ?? () #11 0x6565656565656565 in ?? () #12 0x6565656565656565 in ?? ()
Furthermore, I check the code of config.c:180. The size of buf is 1024, in the for loop, a buffer overflow may happy if the total size of path[i]->lname is larger then 1024.
/* construct the key from the current path */
177 next = buf;
178 for(j = 1; j < len; j++)
179 {
180 strncpy(next, bd.nad->cdata + path[j]->iname, path[j]->lname);
181 next = next + path[j]->lname;
182 *next = '.';
183 next++;
184 }
Attachment is the test case to trigger the crash, please check it, thanks
I try to fuzz router and find crashes, the debug info indicated that the crash is caused at config.c:180.
The debug infor is as below:
(gdb) r -c FUZZ/afl-output/crashes/id:000004,sig:11,src:000165,op:havoc,rep:16
Starting program: /home/stly/Documents/FuzzTarget/jabberd2/router/router -c FUZZ/afl-output/crashes/id:000004,sig:11,src:000165,op:havoc,rep:16
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
__strncpy_sse2_unaligned ()
at ../sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S:241
241 ../sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S: No such file or directory.
(gdb) bt
#0 __strncpy_sse2_unaligned ()
at ../sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S:241
#1 0x000000000042a434 in config_load_with_id (c=,
file=, id=) at config.c:180
#2 0x6565656565656565 in ?? ()
#3 0x6565656565656565 in ?? ()
#4 0x6565656565656565 in ?? ()
#5 0x6565656565656565 in ?? ()
#6 0x6565656565656565 in ?? ()
#7 0x6565656565656565 in ?? ()
#8 0x6565656565656565 in ?? ()
#9 0x6565656565656565 in ?? ()
#10 0x6565656565656565 in ?? ()
#11 0x6565656565656565 in ?? ()
#12 0x6565656565656565 in ?? ()
Furthermore, I check the code of config.c:180. The size of buf is 1024, in the for loop, a buffer overflow may happy if the total size of path[i]->lname is larger then 1024.
/* construct the key from the current path */
177 next = buf;
178 for(j = 1; j < len; j++)
179 {
180 strncpy(next, bd.nad->cdata + path[j]->iname, path[j]->lname);
181 next = next + path[j]->lname;
182 *next = '.';
183 next++;
184 }
Attachment is the test case to trigger the crash, please check it, thanks
id:000004,sig:11,src:000165,op:havoc,rep:16.tar.gz
The text was updated successfully, but these errors were encountered: