Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix buffer overrun found with address sanitizers #39

Merged
merged 2 commits into from Aug 30, 2022
Merged

Fix buffer overrun found with address sanitizers #39

merged 2 commits into from Aug 30, 2022

Conversation

ghost
Copy link

@ghost ghost commented Aug 30, 2022

See commit messages for more info. And thank you for this project!

@ghost ghost mentioned this pull request Aug 30, 2022
Closed
@ghost
Copy link
Author

ghost commented Aug 30, 2022
edited by ghost
Loading

Here's another (IMO cleaner) way to fix the problem:

diff --git a/cobs.c b/cobs.c
index c080867..1e0e324 100644
--- a/cobs.c
+++ b/cobs.c
@@ -36,10 +36,9 @@ cobs_ret_t cobs_decode_inplace(void *buf, unsigned const len) {
 
   cobs_byte_t *const src = (cobs_byte_t *)buf;
   unsigned ofs, cur = 0;
-  while ((ofs = src[cur]) != COBS_FRAME_DELIMITER) {
+  while (cur < len && ((ofs = src[cur]) != COBS_FRAME_DELIMITER)) {
     src[cur] = 0;
     cur += ofs;
-    if (cur >= len) { return COBS_RET_ERR_BAD_PAYLOAD; }
   }
 
   if (cur != len - 1) { return COBS_RET_ERR_BAD_PAYLOAD; }

any preference?

charlesnicholson
charlesnicholson reviewed Aug 30, 2022
View reviewed changes
cobs.c Outdated
@@ -39,7 +39,7 @@ cobs_ret_t cobs_decode_inplace(void *buf, unsigned const len) {
while ((ofs = src[cur]) != COBS_FRAME_DELIMITER) {
src[cur] = 0;
cur += ofs;
if (cur > len) { return COBS_RET_ERR_BAD_PAYLOAD; }
if (cur >= len) { return COBS_RET_ERR_BAD_PAYLOAD; }
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How embarrassing :-D

@charlesnicholson
Copy link
Owner

Thanks a ton for the PR; this is what happens when I don't UBSAN / ASAN from day 1, sigh :)

I agree, I like your "cleaner" version more as well, though I'd happily merge either, lemme know. Do you happen to have a test case? It'd be nice to harness this w/a unit test as well as the sanitizer.

Also if you want to add a CONTRIBUTORS.md file to the root and throw your name at the top, feel free! (You could copy https://github.com/charlesnicholson/nanoprintf/blob/main/CONTRIBUTORS.md as a template if you want).

Michael Reed added 2 commits August 30, 2022 13:26
Build cobs.c with address & undefined behavior sanitizers
0b2041c 
We don't build doctest.h with the sanitizers since doctest itself
triggers the address sanitizer.
Fix buffer overrun in cobs_decode_inplace
c403363 
If the payload passed to cobs_decode_inplace is not 0-terminated
then cobs_decode_inplace may access out-of-bounds memory in its
main loop due to checking the wrong boundary condition. This
commit fixes the problem.

Discovered using the recently added address sanitizers.
@ghost
Copy link
Author

ghost commented Aug 30, 2022

I agree, I like your "cleaner" version more as well, though I'd happily merge either, lemme know.

Sounds good, just amended the commit with the "cleaner" version.

Do you happen to have a test case? It'd be nice to harness this w/a unit test as well as the sanitizer.

Ah, I forgot to mention that this already has a test case, which failed when I turned sanitizers on (but before I fixed the bug in cobs_decode_inplace): https://github.com/charlesnicholson/nanocobs/blob/main/tests/test_cobs_decode_inplace.cc#L31-L32

Also if you want to add a CONTRIBUTORS.md file to the root and throw your name at the top, feel free! (You could copy https://github.com/charlesnicholson/nanoprintf/blob/main/CONTRIBUTORS.md as a template if you want).

Done!

@charlesnicholson
Copy link
Owner

Thanks for this! I'll fix the issue you filed and then cut a new release, unless turning on the sanitizers reveals any other horrors :)

@charlesnicholson charlesnicholson merged commit a5d22b1 into charlesnicholson:main Aug 30, 2022
@ghost ghost deleted the fsanitize branch August 31, 2022 02:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@charlesnicholson