=================================================================================
For server_example_goose
Starting server failed! Exit.
==5820==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e00000dcc8 at pc 0x00000046d043 bp 0x7fdf9f6fedc0 sp 0x7fdf9f6fedb0
READ of size 8 at 0x60e00000dcc8 thread T1
#0 0x46d042 in getState /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/mms/iso_server/iso_server.c:115 #1 0x46dffe in IsoServer_waitReady /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/mms/iso_server/iso_server.c:645 #2 0x477737 in MmsServer_waitReady /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/mms/iso_mms/server/mms_server.c:461 #3 0x42b30c in IedServer_waitReady /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/iec61850/server/impl/ied_server.c:668 #4 0x42adbb in singleThreadedServerThread /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/iec61850/server/impl/ied_server.c:566 #5 0x50dea5 in destroyAutomaticThread /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/hal/thread/linux/thread_linux.c:90 #6 0x7fdfa287b6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9) #7 0x7fdfa25b141c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)
0x60e00000dcc8 is located 8 bytes inside of 152-byte region [0x60e00000dcc0,0x60e00000dd58)
freed by thread T0 here:
#0 0x7fdfa2b292ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca) #1 0x50e895 in Memory_free /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/hal/memory/lib_memory.c:82 #2 0x46e520 in IsoServer_destroy /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/mms/iso_server/iso_server.c:817 #3 0x476dc7 in MmsServer_destroy /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/mms/iso_mms/server/mms_server.c:296 #4 0x42aa3a in IedServer_destroy /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/iec61850/server/impl/ied_server.c:505 #5 0x41765b in main /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/examples/server_example_goose/server_example_goose.c:82 #6 0x7fdfa24ca82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
previously allocated by thread T0 here:
#0 0x7fdfa2b2979a in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9879a) #1 0x50e82e in Memory_calloc /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/hal/memory/lib_memory.c:59 #2 0x46da7f in IsoServer_create /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/mms/iso_server/iso_server.c:510 #3 0x475ea8 in MmsServer_create /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/mms/iso_mms/server/mms_server.c:55 #4 0x42a39e in IedServer_createWithConfig /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/iec61850/server/impl/ied_server.c:434 #5 0x42a97d in IedServer_create /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/iec61850/server/impl/ied_server.c:483 #6 0x417536 in main /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/examples/server_example_goose/server_example_goose.c:56 #7 0x7fdfa24ca82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
Thread T1 created by T0 here:
#0 0x7fdfa2ac7253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253) #1 0x50df2e in Thread_start /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/hal/thread/linux/thread_linux.c:101 #2 0x42af4f in IedServer_start /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/iec61850/server/impl/ied_server.c:595 #3 0x4175b4 in main /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/examples/server_example_goose/server_example_goose.c:66 #4 0x7fdfa24ca82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-use-after-free /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/mms/iso_server/iso_server.c:115 getState
Shadow bytes around the buggy address:
0x0c1c7fff9b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9b70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c1c7fff9b90: fa fa fa fa fa fa fa fa fd[fd]fd fd fd fd fd fd
0x0c1c7fff9ba0: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x0c1c7fff9bb0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1c7fff9bc0: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
0x0c1c7fff9bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1c7fff9be0: 00 00 00 fa fa fa fa fa fa fa fa fa 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==5820==ABORTING
===============================================================================
For server_example_61400_25
Starting server failed! Exit.
==6075==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e00000de88 at pc 0x00000047038d bp 0x7f9ae7ffedc0 sp 0x7f9ae7ffedb0
READ of size 8 at 0x60e00000de88 thread T1
#0 0x47038c in getState /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/mms/iso_server/iso_server.c:115 #1 0x471348 in IsoServer_waitReady /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/mms/iso_server/iso_server.c:645 #2 0x47aa81 in MmsServer_waitReady /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/mms/iso_mms/server/mms_server.c:461 #3 0x42e656 in IedServer_waitReady /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/iec61850/server/impl/ied_server.c:668 #4 0x42e105 in singleThreadedServerThread /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/iec61850/server/impl/ied_server.c:566 #5 0x5111ef in destroyAutomaticThread /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/hal/thread/linux/thread_linux.c:90 #6 0x7f9aeb1996b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9) #7 0x7f9aeaecf41c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)
0x60e00000de88 is located 8 bytes inside of 152-byte region [0x60e00000de80,0x60e00000df18)
freed by thread T0 here:
#0 0x7f9aeb4472ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca) #1 0x511bdf in Memory_free /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/hal/memory/lib_memory.c:82 #2 0x47186a in IsoServer_destroy /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/mms/iso_server/iso_server.c:817 #3 0x47a111 in MmsServer_destroy /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/mms/iso_mms/server/mms_server.c:296 #4 0x42dd84 in IedServer_destroy /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/iec61850/server/impl/ied_server.c:505 #5 0x41aa9a in main /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/examples/server_example_61400_25/server_example_61400_25.c:85 #6 0x7f9aeade882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
previously allocated by thread T0 here:
#0 0x7f9aeb44779a in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9879a) #1 0x511b78 in Memory_calloc /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/hal/memory/lib_memory.c:59 #2 0x470dc9 in IsoServer_create /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/mms/iso_server/iso_server.c:510 #3 0x4791f2 in MmsServer_create /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/mms/iso_mms/server/mms_server.c:55 #4 0x42d6e8 in IedServer_createWithConfig /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/iec61850/server/impl/ied_server.c:434 #5 0x42dcc7 in IedServer_create /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/iec61850/server/impl/ied_server.c:483 #6 0x41aa19 in main /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/examples/server_example_61400_25/server_example_61400_25.c:71 #7 0x7f9aeade882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
Thread T1 created by T0 here:
#0 0x7f9aeb3e5253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253) #1 0x511278 in Thread_start /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/hal/thread/linux/thread_linux.c:101 #2 0x42e299 in IedServer_start /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/iec61850/server/impl/ied_server.c:595 #3 0x41aa6b in main /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/examples/server_example_61400_25/server_example_61400_25.c:81 #4 0x7f9aeade882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-use-after-free /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/mms/iso_server/iso_server.c:115 getState
Shadow bytes around the buggy address:
0x0c1c7fff9b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9b90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c1c7fff9bd0: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1c7fff9be0: fd fd fd fa fa fa fa fa fa fa fa fa 00 00 00 00
0x0c1c7fff9bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
0x0c1c7fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==6075==ABORTING
The text was updated successfully, but these errors were encountered:
arunm2110
changed the title
Heap Use After Free in server_example_goose
Heap Use After Free in server_example_goose and server_example_61400_25
Jan 15, 2019
Hi Team,
There is Heap Use After Free in server_example_goose and server_example_61400_25
Snip
server_example_goose.c
server_example_61400_25.c
=================================================================================
For server_example_goose
Starting server failed! Exit.
==5820==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e00000dcc8 at pc 0x00000046d043 bp 0x7fdf9f6fedc0 sp 0x7fdf9f6fedb0
READ of size 8 at 0x60e00000dcc8 thread T1
#0 0x46d042 in getState /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/mms/iso_server/iso_server.c:115
#1 0x46dffe in IsoServer_waitReady /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/mms/iso_server/iso_server.c:645
#2 0x477737 in MmsServer_waitReady /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/mms/iso_mms/server/mms_server.c:461
#3 0x42b30c in IedServer_waitReady /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/iec61850/server/impl/ied_server.c:668
#4 0x42adbb in singleThreadedServerThread /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/iec61850/server/impl/ied_server.c:566
#5 0x50dea5 in destroyAutomaticThread /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/hal/thread/linux/thread_linux.c:90
#6 0x7fdfa287b6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
#7 0x7fdfa25b141c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)
0x60e00000dcc8 is located 8 bytes inside of 152-byte region [0x60e00000dcc0,0x60e00000dd58)
freed by thread T0 here:
#0 0x7fdfa2b292ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
#1 0x50e895 in Memory_free /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/hal/memory/lib_memory.c:82
#2 0x46e520 in IsoServer_destroy /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/mms/iso_server/iso_server.c:817
#3 0x476dc7 in MmsServer_destroy /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/mms/iso_mms/server/mms_server.c:296
#4 0x42aa3a in IedServer_destroy /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/iec61850/server/impl/ied_server.c:505
#5 0x41765b in main /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/examples/server_example_goose/server_example_goose.c:82
#6 0x7fdfa24ca82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
previously allocated by thread T0 here:
#0 0x7fdfa2b2979a in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9879a)
#1 0x50e82e in Memory_calloc /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/hal/memory/lib_memory.c:59
#2 0x46da7f in IsoServer_create /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/mms/iso_server/iso_server.c:510
#3 0x475ea8 in MmsServer_create /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/mms/iso_mms/server/mms_server.c:55
#4 0x42a39e in IedServer_createWithConfig /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/iec61850/server/impl/ied_server.c:434
#5 0x42a97d in IedServer_create /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/iec61850/server/impl/ied_server.c:483
#6 0x417536 in main /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/examples/server_example_goose/server_example_goose.c:56
#7 0x7fdfa24ca82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
Thread T1 created by T0 here:
#0 0x7fdfa2ac7253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
#1 0x50df2e in Thread_start /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/hal/thread/linux/thread_linux.c:101
#2 0x42af4f in IedServer_start /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/iec61850/server/impl/ied_server.c:595
#3 0x4175b4 in main /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/examples/server_example_goose/server_example_goose.c:66
#4 0x7fdfa24ca82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-use-after-free /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/mms/iso_server/iso_server.c:115 getState
Shadow bytes around the buggy address:
0x0c1c7fff9b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9b70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c1c7fff9b90: fa fa fa fa fa fa fa fa fd[fd]fd fd fd fd fd fd
0x0c1c7fff9ba0: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x0c1c7fff9bb0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1c7fff9bc0: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
0x0c1c7fff9bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1c7fff9be0: 00 00 00 fa fa fa fa fa fa fa fa fa 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==5820==ABORTING
===============================================================================
For server_example_61400_25
Starting server failed! Exit.
==6075==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e00000de88 at pc 0x00000047038d bp 0x7f9ae7ffedc0 sp 0x7f9ae7ffedb0
READ of size 8 at 0x60e00000de88 thread T1
#0 0x47038c in getState /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/mms/iso_server/iso_server.c:115
#1 0x471348 in IsoServer_waitReady /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/mms/iso_server/iso_server.c:645
#2 0x47aa81 in MmsServer_waitReady /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/mms/iso_mms/server/mms_server.c:461
#3 0x42e656 in IedServer_waitReady /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/iec61850/server/impl/ied_server.c:668
#4 0x42e105 in singleThreadedServerThread /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/iec61850/server/impl/ied_server.c:566
#5 0x5111ef in destroyAutomaticThread /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/hal/thread/linux/thread_linux.c:90
#6 0x7f9aeb1996b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
#7 0x7f9aeaecf41c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)
0x60e00000de88 is located 8 bytes inside of 152-byte region [0x60e00000de80,0x60e00000df18)
freed by thread T0 here:
#0 0x7f9aeb4472ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
#1 0x511bdf in Memory_free /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/hal/memory/lib_memory.c:82
#2 0x47186a in IsoServer_destroy /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/mms/iso_server/iso_server.c:817
#3 0x47a111 in MmsServer_destroy /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/mms/iso_mms/server/mms_server.c:296
#4 0x42dd84 in IedServer_destroy /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/iec61850/server/impl/ied_server.c:505
#5 0x41aa9a in main /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/examples/server_example_61400_25/server_example_61400_25.c:85
#6 0x7f9aeade882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
previously allocated by thread T0 here:
#0 0x7f9aeb44779a in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9879a)
#1 0x511b78 in Memory_calloc /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/hal/memory/lib_memory.c:59
#2 0x470dc9 in IsoServer_create /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/mms/iso_server/iso_server.c:510
#3 0x4791f2 in MmsServer_create /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/mms/iso_mms/server/mms_server.c:55
#4 0x42d6e8 in IedServer_createWithConfig /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/iec61850/server/impl/ied_server.c:434
#5 0x42dcc7 in IedServer_create /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/iec61850/server/impl/ied_server.c:483
#6 0x41aa19 in main /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/examples/server_example_61400_25/server_example_61400_25.c:71
#7 0x7f9aeade882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
Thread T1 created by T0 here:
#0 0x7f9aeb3e5253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
#1 0x511278 in Thread_start /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/hal/thread/linux/thread_linux.c:101
#2 0x42e299 in IedServer_start /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/iec61850/server/impl/ied_server.c:595
#3 0x41aa6b in main /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/examples/server_example_61400_25/server_example_61400_25.c:81
#4 0x7f9aeade882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-use-after-free /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/mms/iso_server/iso_server.c:115 getState
Shadow bytes around the buggy address:
0x0c1c7fff9b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9b90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c1c7fff9bd0: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1c7fff9be0: fd fd fd fa fa fa fa fa fa fa fa fa 00 00 00 00
0x0c1c7fff9bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
0x0c1c7fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==6075==ABORTING
The text was updated successfully, but these errors were encountered: