Gitiles
Code Review Sign In
gerrit.osmocom.org / libosmocore / 757dea8d4abf611f40f39a128a970f8a6cb3c547
commit757dea8d4abf611f40f39a128a970f8a6cb3c547[log] [tgz]
authorVadim Yanitskiy <axilirator@gmail.com>Sat Jul 27 23:57:12 2019 +0700
committerVadim Yanitskiy <axilirator@gmail.com>Tue Jul 30 17:17:15 2019 +0000
treee425fd7e370b68193507aa33be9c13b7c09f2471
parent74b6ff074b421c52e11fad0733ca9490eddc42dd [diff]
vty/vty.c: fix vty_read(): prevent further heap-buffer overrun

After reading data from the socket, assigned to a given VTY, we
need to '\0'-terminate the received string. Otherwise, further
access to that string, stored in a heap buffer vty->buf, would
lead to a heap overrun.

== How to reproduce?

  $ python -c "print 'A' * 512" | telnet $HOST $PORT

  ==21264==ERROR: AddressSanitizer: heap-buffer-overflow on address
                                    0x6190000211e0 at pc 0x000000435d2f
				    bp 0x7ffc06c7add0 sp 0x7ffc06c7a578
  READ of size 1025 at 0x6190000211e0 thread T0
    #0 0x435d2e in __interceptor_strlen (/usr/local/bin/osmo-msc+0x435d2e)
    #1 0x7fb95bfa5624 in talloc_strdup (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x6624)
    #2 0x7fb95c1be2bc in vty_hist_add /opt/osmocom/libosmocore/src/vty/vty.c:578
    #3 0x7fb95c1be2bc in vty_execute /opt/osmocom/libosmocore/src/vty/vty.c:703
    #4 0x7fb95c1be2bc in vty_read /opt/osmocom/libosmocore/src/vty/vty.c:1425
    #5 0x7fb95c1bfd78 in client_data /opt/osmocom/libosmocore/src/vty/telnet_interface.c:157
    #6 0x7fb95b90bd33 in osmo_fd_disp_fds /opt/osmocom/libosmocore/src/select.c:223
    #7 0x7fb95b90bd33 in osmo_select_main /opt/osmocom/libosmocore/src/select.c:263
    #8 0x5006cc in main /opt/osmocom/osmo-msc/src/osmo-msc/msc_main.c:723:3
    #9 0x7fb959935f44 in __libc_start_main /build/eglibc-xkFqqE/eglibc-2.19/csu/libc-start.c:287
    #10 0x4226fb in _start (/usr/local/bin/osmo-msc+0x4226fb)

== Why exactly 512?

Because the initial size of the heap buffer is 512 (see VTY_BUFSIZ).
Later on it can be realloc()ated, so X > 512 should also work.

Found using AddressSanitizer and Radamsa [1] fuzzer.

[1] https://gitlab.com/akihe/radamsa

Change-Id: I82f774ad18d0e555eb8f3590a519946d9c583c78
1 file changed
tree: e425fd7e370b68193507aa33be9c13b7c09f2471
  1. contrib/
  2. debian/
  3. doc/
  4. include/
  5. m4/
  6. src/
  7. tests/
  8. utils/
  9. .gitignore
  10. .gitreview
  11. .mailmap
  12. configure.ac
  13. COPYING
  14. Doxyfile.codec.in
  15. Doxyfile.coding.in
  16. Doxyfile.core.in
  17. Doxyfile.ctrl.in
  18. Doxyfile.gb.in
  19. Doxyfile.gsm.in
  20. Doxyfile.vty.in
  21. git-version-gen
  22. libosmocodec.pc.in
  23. libosmocoding.pc.in
  24. libosmocore.pc.in
  25. libosmoctrl.pc.in
  26. libosmogb.pc.in
  27. libosmogsm.pc.in
  28. libosmosim.pc.in
  29. libosmovty.pc.in
  30. Makefile.am
  31. osmo-release.mk
  32. osmo-release.sh
  33. README.md
  34. TODO-RELEASE
README.md

libosmocore - set of Osmocom core libraries

This repository contains a set of C-language libraries that form the core infrastructure of many Osmocom Open Source Mobile Communications projects.

Historically, a lot of this code was developed as part of the OpenBSC project, but which are of a more generic nature and thus useful to (at least) other programs that we develop in the sphere of Free Software / Open Source mobile communications.

There is no clear scope of it. We simply move all shared code between the various Osmocom projects in this library to avoid code duplication.

The libosmcoore.git repository build multiple libraries:

  • libosmocore contains some general-purpose functions like select-loop abstraction, message buffers, timers, linked lists
  • libosmovty contains routines related to the interactive command-line interface called VTY
  • libosmogsm contains definitions and helper code related to GSM protocols
  • libosmoctrl contains a shared implementation of the Osmocom control interface
  • libosmogb contains an implementation of the Gb interface with its NS/BSSGP protocols
  • libosmocodec contains an implementation of GSM voice codecs
  • libosmocoding contains an implementation of GSM channel coding
  • libosmosim contains infrastructure to interface SIM/UICC/USIM cards
  • libosmotrau contains encoding/decoding functions for A-bis TRAU frames

Homepage

The official homepage of the project is https://osmocom.org/projects/libosmocore/wiki/Libosmocore

GIT Repository

You can clone from the official libosmocore.git repository using

git clone git://git.osmocom.org/libosmocore.git

There is a cgit interface at http://git.osmocom.org/libosmocore/

Documentation

Doxygen-generated API documentation is generated during the build process, but also available online for each of the sub-libraries at http://ftp.osmocom.org/api/latest/libosmocore/

Mailing List

Discussions related to libosmocore are happening on the openbsc@lists.osmocom.org mailing list, please see https://lists.osmocom.org/mailman/listinfo/openbsc for subscription options and the list archive.

Please observe the Osmocom Mailing List Rules when posting.

Contributing

Our coding standards are described at https://osmocom.org/projects/cellular-infrastructure/wiki/Coding_standards

We us a gerrit based patch submission/review process for managing contributions. Please see https://osmocom.org/projects/cellular-infrastructure/wiki/Gerrit for more details

The current patch queue for libosmocore can be seen at https://gerrit.osmocom.org/#/q/project:libosmocore+status:open