commit | 757dea8d4abf611f40f39a128a970f8a6cb3c547 | [log] [tgz] |
---|---|---|
author | Vadim Yanitskiy <axilirator@gmail.com> | Sat Jul 27 23:57:12 2019 +0700 |
committer | Vadim Yanitskiy <axilirator@gmail.com> | Tue Jul 30 17:17:15 2019 +0000 |
tree | e425fd7e370b68193507aa33be9c13b7c09f2471 | |
parent | 74b6ff074b421c52e11fad0733ca9490eddc42dd [diff] |
vty/vty.c: fix vty_read(): prevent further heap-buffer overrun After reading data from the socket, assigned to a given VTY, we need to '\0'-terminate the received string. Otherwise, further access to that string, stored in a heap buffer vty->buf, would lead to a heap overrun. == How to reproduce? $ python -c "print 'A' * 512" | telnet $HOST $PORT ==21264==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6190000211e0 at pc 0x000000435d2f bp 0x7ffc06c7add0 sp 0x7ffc06c7a578 READ of size 1025 at 0x6190000211e0 thread T0 #0 0x435d2e in __interceptor_strlen (/usr/local/bin/osmo-msc+0x435d2e) #1 0x7fb95bfa5624 in talloc_strdup (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x6624) #2 0x7fb95c1be2bc in vty_hist_add /opt/osmocom/libosmocore/src/vty/vty.c:578 #3 0x7fb95c1be2bc in vty_execute /opt/osmocom/libosmocore/src/vty/vty.c:703 #4 0x7fb95c1be2bc in vty_read /opt/osmocom/libosmocore/src/vty/vty.c:1425 #5 0x7fb95c1bfd78 in client_data /opt/osmocom/libosmocore/src/vty/telnet_interface.c:157 #6 0x7fb95b90bd33 in osmo_fd_disp_fds /opt/osmocom/libosmocore/src/select.c:223 #7 0x7fb95b90bd33 in osmo_select_main /opt/osmocom/libosmocore/src/select.c:263 #8 0x5006cc in main /opt/osmocom/osmo-msc/src/osmo-msc/msc_main.c:723:3 #9 0x7fb959935f44 in __libc_start_main /build/eglibc-xkFqqE/eglibc-2.19/csu/libc-start.c:287 #10 0x4226fb in _start (/usr/local/bin/osmo-msc+0x4226fb) == Why exactly 512? Because the initial size of the heap buffer is 512 (see VTY_BUFSIZ). Later on it can be realloc()ated, so X > 512 should also work. Found using AddressSanitizer and Radamsa [1] fuzzer. [1] https://gitlab.com/akihe/radamsa Change-Id: I82f774ad18d0e555eb8f3590a519946d9c583c78
This repository contains a set of C-language libraries that form the core infrastructure of many Osmocom Open Source Mobile Communications projects.
Historically, a lot of this code was developed as part of the OpenBSC project, but which are of a more generic nature and thus useful to (at least) other programs that we develop in the sphere of Free Software / Open Source mobile communications.
There is no clear scope of it. We simply move all shared code between the various Osmocom projects in this library to avoid code duplication.
The libosmcoore.git repository build multiple libraries:
The official homepage of the project is https://osmocom.org/projects/libosmocore/wiki/Libosmocore
You can clone from the official libosmocore.git repository using
git clone git://git.osmocom.org/libosmocore.git
There is a cgit interface at http://git.osmocom.org/libosmocore/
Doxygen-generated API documentation is generated during the build process, but also available online for each of the sub-libraries at http://ftp.osmocom.org/api/latest/libosmocore/
Discussions related to libosmocore are happening on the openbsc@lists.osmocom.org mailing list, please see https://lists.osmocom.org/mailman/listinfo/openbsc for subscription options and the list archive.
Please observe the Osmocom Mailing List Rules when posting.
Our coding standards are described at https://osmocom.org/projects/cellular-infrastructure/wiki/Coding_standards
We us a gerrit based patch submission/review process for managing contributions. Please see https://osmocom.org/projects/cellular-infrastructure/wiki/Gerrit for more details
The current patch queue for libosmocore can be seen at https://gerrit.osmocom.org/#/q/project:libosmocore+status:open