Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Buffer overflow in action_web_request #135

Closed
ballle98 opened this issue Nov 18, 2020 · 2 comments · May be fixed by #136
Closed

Buffer overflow in action_web_request #135

ballle98 opened this issue Nov 18, 2020 · 2 comments · May be fixed by #136

Comments

@ballle98
Copy link
Contributor

Problem is here, the size of buff is 50 and URI of more than 13 characters will overflow. Need to increase buffer and use snprintf() instead of sprintf().

sprintf(buf, "action_web_request() request '%.*s' took",http_msg->uri.len, http_msg->uri.p);

console output reporting error:

16:34:46.662 Info:    NetService:URI request: '/ '
16:34:46.671 Debug:   NetService:Served WEB request
16:34:46.690 Debug:   NetService:-- Websocket left
16:34:46.707 Info:    NetService:URI request: '/api/dynamicconfig '
16:34:46.709 Debug:   NetService:API: URI Request 'dynamicconfig': value 0.00
=================================================================
�[1m�[31m==23335==ERROR: AddressSanitizer: stack-buffer-overflow on address 0xb47fceb2 at pc 0x00083abc bp 0xb47fcd84 sp 0xb47fc950
�[1m�[0m�[1m�[34mWRITE of size 55 at 0xb47fceb2 thread T1�[1m�[0m
    #0 0x83abb in vsprintf (/home/pi/remote-debugging/aqualinkd+0x83abb)
    #1 0x83bbb in sprintf (/home/pi/remote-debugging/aqualinkd+0x83bbb)
    #2 0x12715b in action_web_request C:\git\AqualinkD/net_services.c:1163
    #3 0x128933 in ev_handler C:\git\AqualinkD/net_services.c:1297
    #4 0x14f18b in mg_call C:\git\AqualinkD/mongoose.c:2258
    #5 0x1719c7 in mg_http_call_endpoint_handler C:\git\AqualinkD/mongoose.c:8463
    #6 0x166927 in mg_http_handler C:\git\AqualinkD/mongoose.c:6374
    #7 0x14f18b in mg_call C:\git\AqualinkD/mongoose.c:2258
    #8 0x153c5b in mg_recv_common C:\git\AqualinkD/mongoose.c:2706
    #9 0x153cab in mg_if_recv_tcp_cb C:\git\AqualinkD/mongoose.c:2710
    #10 0x159a2f in mg_handle_tcp_read C:\git\AqualinkD/mongoose.c:3608
    #11 0x15a647 in mg_mgr_handle_conn C:\git\AqualinkD/mongoose.c:3733
    #12 0x15c3d7 in mg_socket_if_poll C:\git\AqualinkD/mongoose.c:3925
    #13 0x1513bb in mg_mgr_poll C:\git\AqualinkD/mongoose.c:2424
    #14 0x12a247 in net_services_thread C:\git\AqualinkD/net_services.c:1541

�[1m�[32mAddress 0xb47fceb2 is located in stack of thread T1 at offset 146 in frame�[1m�[0m
�[1m�[0m    #0 0x1261c3 in action_web_request C:\git\AqualinkD/net_services.c:1043

  This frame has 3 object(s):
    [32, 36) 'msg'
    [96, 146) 'buf'
    [192, 5312) 'message'�[1m�[32m <== Memory access at offset 146 partially underflows this variable�[1m�[0m
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
Thread T1 created by T0 here:
    #0 0x2b54f in __interceptor_pthread_create (/home/pi/remote-debugging/aqualinkd+0x2b54f)
    #1 0x12a43b in start_net_services C:\git\AqualinkD/net_services.c:1566
    #2 0xfd0bf in main_loop C:\git\AqualinkD/aqualinkd.c:1476
    #3 0xfc39b in main C:\git\AqualinkD/aqualinkd.c:1245
    #4 0xb6cef677 in __libc_start_main (/lib/arm-linux-gnueabihf/libc.so.6+0x16677)

SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/pi/remote-debugging/aqualinkd+0x83abb) in vsprintf
Shadow bytes around the buggy address:
  0x368ff980: �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m
  0x368ff990: �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m
  0x368ff9a0: �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m
  0x368ff9b0: �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m
  0x368ff9c0: �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[31mf1�[1m�[0m �[1m�[31mf1�[1m�[0m �[1m�[31mf1�[1m�[0m �[1m�[31mf1�[1m�[0m �[1m�[0m04�[1m�[0m �[1m�[31mf4�[1m�[0m �[1m�[31mf4�[1m�[0m �[1m�[31mf4�[1m�[0m �[1m�[31mf2�[1m�[0m �[1m�[31mf2�[1m�[0m �[1m�[31mf2�[1m�[0m �[1m�[31mf2�[1m�[0m
=>0x368ff9d0: �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m[�[1m�[0m02�[1m�[0m]�[1m�[31mf4�[1m�[0m �[1m�[31mf2�[1m�[0m �[1m�[31mf2�[1m�[0m �[1m�[31mf2�[1m�[0m �[1m�[31mf2�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m
  0x368ff9e0: �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m
  0x368ff9f0: �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m
  0x368ffa00: �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m
  0x368ffa10: �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m
  0x368ffa20: �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m �[1m�[0m00�[1m�[0m
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           �[1m�[0m00�[1m�[0m
  Partially addressable: �[1m�[0m01�[1m�[0m �[1m�[0m02�[1m�[0m �[1m�[0m03�[1m�[0m �[1m�[0m04�[1m�[0m �[1m�[0m05�[1m�[0m �[1m�[0m06�[1m�[0m �[1m�[0m07�[1m�[0m 
  Heap left redzone:       �[1m�[31mfa�[1m�[0m
  Heap right redzone:      �[1m�[31mfb�[1m�[0m
  Freed heap region:       �[1m�[35mfd�[1m�[0m
  Stack left redzone:      �[1m�[31mf1�[1m�[0m
  Stack mid redzone:       �[1m�[31mf2�[1m�[0m
  Stack right redzone:     �[1m�[31mf3�[1m�[0m
  Stack partial redzone:   �[1m�[31mf4�[1m�[0m
  Stack after return:      �[1m�[35mf5�[1m�[0m
  Stack use after scope:   �[1m�[35mf8�[1m�[0m
  Global redzone:          �[1m�[31mf9�[1m�[0m
  Global init order:       �[1m�[36mf6�[1m�[0m
  Poisoned by user:        �[1m�[34mf7�[1m�[0m
  Container overflow:      �[1m�[34mfc�[1m�[0m
  Array cookie:            �[1m�[31mac�[1m�[0m
  Intra object redzone:    �[1m�[33mbb�[1m�[0m
  ASan internal:           �[1m�[33mfe�[1m�[0m
  Left alloca redzone:     �[1m�[34mca�[1m�[0m
  Right alloca redzone:    �[1m�[34mcb�[1m�[0m
==23335==ABORTING
logout
ballle98 added a commit to ballle98/AqualinkD that referenced this issue Nov 18, 2020
@ballle98
sfeakes#135: Buffer overflow in action_web_request
de5c868
This was referenced Nov 18, 2020
Open
Open
ballle98 added a commit to ballle98/AqualinkD that referenced this issue Nov 18, 2020
@ballle98
sfeakes#135: Buffer overflow in action_web_request
010cce3
@doubliez
Copy link

doubliez commented Feb 4, 2023

I encountered the same issue and fixed it by increasing the size of the buffer from 50 to 200 as suggested in #136

ballle98 added a commit to ballle98/AqualinkD that referenced this issue May 27, 2023
@ballle98
sfeakes#135: Buffer overflow in action_web_request
699fd74
ballle98 added a commit to ballle98/AqualinkD that referenced this issue Jun 15, 2023
@ballle98
sfeakes#135: Buffer overflow in action_web_request
8239913
ballle98 added a commit to ballle98/AqualinkD that referenced this issue Jun 15, 2023
@ballle98
sfeakes#135: Buffer overflow in action_web_request
8fba38b
@sfeakes
Copy link
Owner

sfeakes commented Jun 16, 2023
edited
Loading

This part of the code shouldn't even be compiled. Problem was fixed in later releases.

@sfeakes sfeakes closed this as completed Jun 16, 2023
ballle98 added a commit to ballle98/AqualinkD that referenced this issue Jun 23, 2023
@ballle98
sfeakes#135: Buffer overflow in action_web_request
1e47350
ballle98 added a commit to ballle98/AqualinkD that referenced this issue Jun 29, 2023
@ballle98
sfeakes#135: Buffer overflow in action_web_request
7e8c1ba
ballle98 added a commit to ballle98/AqualinkD that referenced this issue Jul 11, 2023
@ballle98
sfeakes#135: Buffer overflow in action_web_request
d6fa4b4
ballle98 added a commit to ballle98/AqualinkD that referenced this issue Aug 7, 2023
@ballle98
sfeakes#135: Buffer overflow in action_web_request
efd2aa1
ballle98 added a commit to ballle98/AqualinkD that referenced this issue May 2, 2024
@ballle98
sfeakes#135: Buffer overflow in action_web_request
c024b8f
ballle98 added a commit to ballle98/AqualinkD that referenced this issue May 20, 2024
@ballle98
sfeakes#135: Buffer overflow in action_web_request
f4ca2a5
ballle98 added a commit to ballle98/AqualinkD that referenced this issue Jun 11, 2024
@ballle98
sfeakes#135: Buffer overflow in action_web_request
f59b3c8
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

sfeakes/AqualinkD#135: Buffer overflow in action_web_request ballle98/AqualinkD
3 participants
@ballle98 @doubliez @sfeakes