Potential access violation / buffer overflow condition

[legendtang]

What version of shadowsocks-libev are you using?

v3.0.8

What operating system are you using?

Arch Linux

What did you do?

Nothing but inspecting.

What did you expect to see?

Everything works like a charm.

What did you see instead?

It seems that at

shadowsocks-libev/src/jconf.c

Line 163 in 7c5416b

long pos = ftell(f);

it uses ftell to get file pointer position, and in this condition

shadowsocks-libev/src/jconf.c

Line 170 in 7c5416b

buf = ss_malloc(pos + 1);

malloc(0), but buf is directly used at

shadowsocks-libev/src/jconf.c

Line 175 in 7c5416b

int nread = fread(buf, pos, 1, f);

as a buffer. The return address of malloc(0) is generally a valid address but not NULL. To the best of my knowledge, on some virtual file system or processing special file, the fseek/ftell will return negative value.

Moreover, according to our test cases, OS can accept this type of address written but in this condition pos is a size_t so it is max possible integer. So this is already an exploitable buffer overflow. If this condition passed, we will also see a buffer underflow at

shadowsocks-libev/src/jconf.c

Line 181 in 7c5416b

buf[pos] = '\0'; // end of string

Ref: https://stackoverflow.com/questions/40853316/under-what-circumstances-will-fseek-ftell-or-fstat-fail-to-get-the-size-of-a-fil

What is your config in detail (with all sensitive info masked)?