You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
as a buffer. The return address of malloc(0) is generally a valid address but not NULL. To the best of my knowledge, on some virtual file system or processing special file, the fseek/ftell will return negative value.
Moreover, according to our test cases, OS can accept this type of address written but in this condition pos is a size_t so it is max possible integer. So this is already an exploitable buffer overflow. If this condition passed, we will also see a buffer underflow at
What version of shadowsocks-libev are you using?
v3.0.8
What operating system are you using?
Arch Linux
What did you do?
Nothing but inspecting.
What did you expect to see?
Everything works like a charm.
What did you see instead?
It seems that at
shadowsocks-libev/src/jconf.c
Line 163 in 7c5416b
ftell
to get file pointer position, and in this conditionshadowsocks-libev/src/jconf.c
Line 170 in 7c5416b
buf
is directly used atshadowsocks-libev/src/jconf.c
Line 175 in 7c5416b
Moreover, according to our test cases, OS can accept this type of address written but in this condition pos is a
size_t
so it is max possible integer. So this is already an exploitable buffer overflow. If this condition passed, we will also see a buffer underflow atshadowsocks-libev/src/jconf.c
Line 181 in 7c5416b
Ref: https://stackoverflow.com/questions/40853316/under-what-circumstances-will-fseek-ftell-or-fstat-fail-to-get-the-size-of-a-fil
What is your config in detail (with all sensitive info masked)?
The text was updated successfully, but these errors were encountered: