Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Denial-of-service bug #8

Open
GoldBinocle opened this issue Jan 1, 2023 · 0 comments
Open

Denial-of-service bug #8

GoldBinocle opened this issue Jan 1, 2023 · 0 comments

Comments

@GoldBinocle
Copy link

How to reproduce

Using the prepared patch file reproduce.patch for better illustration.

patch -p1 < reproduce.patch

Compile

make

Start the server

./bin/server/server_ftp.out

Start the client to establish the connection and exit immediately

timeout 1s ./bin/client/client_ftp.out

Then, the server will crash with AddressSanitizer report:

=================================================================
==1199805==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 512 byte(s) in 1 object(s) allocated from:
    #0 0x55ec05154f7e in __interceptor_malloc (/root/projects/FTP/bin/server/server_ftp.out+0xa6f7e) (BuildId: 66b4d91f9c39c73e3399c16f9d667ddf369a1250)
    #1 0x55ec05192071 in serve_client /root/projects/FTP/server_ftp.c:53:41
    #2 0x55ec05191e28 in main /root/projects/FTP/server_ftp.c:40:2
    #3 0x7f6b1e895d09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09) (BuildId: b503275bf9fee51581fdceef97533b194035b4f7)

Direct leak of 8 byte(s) in 1 object(s) allocated from:
    #0 0x55ec05154f7e in __interceptor_malloc (/root/projects/FTP/bin/server/server_ftp.out+0xa6f7e) (BuildId: 66b4d91f9c39c73e3399c16f9d667ddf369a1250)
    #1 0x55ec0518f917 in client_info_alloc /root/projects/FTP/server_ftp_functions.c:7:49
    #2 0x55ec05191e15 in main /root/projects/FTP/server_ftp.c:39:27
    #3 0x7f6b1e895d09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09) (BuildId: b503275bf9fee51581fdceef97533b194035b4f7)

SUMMARY: AddressSanitizer: 520 byte(s) leaked in 2 allocation(s).

Bug analysis

The server use function serve_client to handle each connection from the client:

FTP/server_ftp.c

Lines 32 to 41 in 96c1a35

while(1)
{
if((x = sfd_client = accept(sfd_server, (struct sockaddr*) &sin_client, &size_sockaddr)) < 0)
er("accept()", x);
printf(ID "Communication started with %s:%d\n", inet_ntoa(sin_client.sin_addr), ntohs(sin_client.sin_port));
fflush(stdout);
struct client_info* ci = client_info_alloc(sfd_client, connection_id++);
serve_client(ci);
}

In the function serve_client, the memory allocated via malloc is never freed, causing memory leak.

struct packet* data = (struct packet*) malloc(size_packet);

This bug can cause denial-of-service.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant