version: 5.6.6
make whois CC=clang CFLAGS='-g -O0 -fsanitize=address'
./whois 2001:0:0:0:0:0:b0000000:b0000000
=================================================================
==405==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x502000000140 at pc 0xaaaad713ddf8 bp 0xffffc6e79490 sp 0xffffc6e78bf0
WRITE of size 26 at 0x502000000140 thread T0
#0 0xaaaad713ddf4 in vsprintf (/root/tmp/whois-5.6.6/whois+0x8ddf4) (BuildId: 048182cc63bccdd6dc2104f1b7d5849c31eafe78)
#1 0xaaaad713f124 in sprintf (/root/tmp/whois-5.6.6/whois+0x8f124) (BuildId: 048182cc63bccdd6dc2104f1b7d5849c31eafe78)
#2 0xaaaad71ffb58 in convert_teredo /root/tmp/whois-5.6.6/whois.c:1439:5
#3 0xaaaad71fe444 in handle_query /root/tmp/whois-5.6.6/whois.c:385:10
#4 0xaaaad71fc590 in main /root/tmp/whois-5.6.6/whois.c:315:11
#5 0xffffb0b52258 (/lib/aarch64-linux-gnu/libc.so.6+0x22258) (BuildId: 45918bc10b33fd96afc550c98de062dccdf44328)
#6 0xffffb0b52338 in __libc_start_main (/lib/aarch64-linux-gnu/libc.so.6+0x22338) (BuildId: 45918bc10b33fd96afc550c98de062dccdf44328)
#7 0xaaaad71184ec in _start (/root/tmp/whois-5.6.6/whois+0x684ec) (BuildId: 048182cc63bccdd6dc2104f1b7d5849c31eafe78)
0x502000000140 is located 0 bytes after 16-byte region [0x502000000130,0x502000000140)
allocated by thread T0 here:
#0 0xaaaad71bafc4 in malloc (/root/tmp/whois-5.6.6/whois+0x10afc4) (BuildId: 048182cc63bccdd6dc2104f1b7d5849c31eafe78)
#1 0xaaaad71ffb14 in convert_teredo /root/tmp/whois-5.6.6/whois.c:1438:11
#2 0xaaaad71fe444 in handle_query /root/tmp/whois-5.6.6/whois.c:385:10
#3 0xaaaad71fc590 in main /root/tmp/whois-5.6.6/whois.c:315:11
#4 0xffffb0b52258 (/lib/aarch64-linux-gnu/libc.so.6+0x22258) (BuildId: 45918bc10b33fd96afc550c98de062dccdf44328)
#5 0xffffb0b52338 in __libc_start_main (/lib/aarch64-linux-gnu/libc.so.6+0x22338) (BuildId: 45918bc10b33fd96afc550c98de062dccdf44328)
#6 0xaaaad71184ec in _start (/root/tmp/whois-5.6.6/whois+0x684ec) (BuildId: 048182cc63bccdd6dc2104f1b7d5849c31eafe78)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/root/tmp/whois-5.6.6/whois+0x8ddf4) (BuildId: 048182cc63bccdd6dc2104f1b7d5849c31eafe78) in vsprintf
Shadow bytes around the buggy address:
0x501ffffffe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x501fffffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x501fffffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x502000000000: fa fa 06 fa fa fa fd fd fa fa fd fd fa fa fd fd
0x502000000080: fa fa fd fa fa fa fd fa fa fa fd fd fa fa 02 fa
=>0x502000000100: fa fa 02 fa fa fa 00 00[fa]fa fa fa fa fa fa fa
0x502000000180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x502000000200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x502000000280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x502000000300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x502000000380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
convert_teredo accepts a and b larger than 16 bits
|
if (sscanf(s, "2001:%*[^:]:%*[^:]:%*[^:]:%*[^:]:%*[^:]:%x:%x", &a, &b) != 2) |
|
return strdup("0.0.0.0"); |
|
|
|
a ^= 0xffff; |
|
b ^= 0xffff; |
|
new = malloc(sizeof("255.255.255.255")); |
|
sprintf(new, "%u.%u.%u.%u", a >> 8, a & 0xff, b >> 8, b & 0xff); |
version: 5.6.6
./whois 2001:0:0:0:0:0:b0000000:b0000000convert_teredoacceptsaandblarger than 16 bitswhois/whois.c
Lines 1433 to 1439 in 1024386