Skip to content

Buffer overflow in convert_teredo #202

@oscarliu2020

Description

@oscarliu2020

version: 5.6.6

make whois CC=clang CFLAGS='-g -O0 -fsanitize=address'

./whois 2001:0:0:0:0:0:b0000000:b0000000

=================================================================
==405==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x502000000140 at pc 0xaaaad713ddf8 bp 0xffffc6e79490 sp 0xffffc6e78bf0
WRITE of size 26 at 0x502000000140 thread T0
    #0 0xaaaad713ddf4 in vsprintf (/root/tmp/whois-5.6.6/whois+0x8ddf4) (BuildId: 048182cc63bccdd6dc2104f1b7d5849c31eafe78)
    #1 0xaaaad713f124 in sprintf (/root/tmp/whois-5.6.6/whois+0x8f124) (BuildId: 048182cc63bccdd6dc2104f1b7d5849c31eafe78)
    #2 0xaaaad71ffb58 in convert_teredo /root/tmp/whois-5.6.6/whois.c:1439:5
    #3 0xaaaad71fe444 in handle_query /root/tmp/whois-5.6.6/whois.c:385:10
    #4 0xaaaad71fc590 in main /root/tmp/whois-5.6.6/whois.c:315:11
    #5 0xffffb0b52258  (/lib/aarch64-linux-gnu/libc.so.6+0x22258) (BuildId: 45918bc10b33fd96afc550c98de062dccdf44328)
    #6 0xffffb0b52338 in __libc_start_main (/lib/aarch64-linux-gnu/libc.so.6+0x22338) (BuildId: 45918bc10b33fd96afc550c98de062dccdf44328)
    #7 0xaaaad71184ec in _start (/root/tmp/whois-5.6.6/whois+0x684ec) (BuildId: 048182cc63bccdd6dc2104f1b7d5849c31eafe78)

0x502000000140 is located 0 bytes after 16-byte region [0x502000000130,0x502000000140)
allocated by thread T0 here:
    #0 0xaaaad71bafc4 in malloc (/root/tmp/whois-5.6.6/whois+0x10afc4) (BuildId: 048182cc63bccdd6dc2104f1b7d5849c31eafe78)
    #1 0xaaaad71ffb14 in convert_teredo /root/tmp/whois-5.6.6/whois.c:1438:11
    #2 0xaaaad71fe444 in handle_query /root/tmp/whois-5.6.6/whois.c:385:10
    #3 0xaaaad71fc590 in main /root/tmp/whois-5.6.6/whois.c:315:11
    #4 0xffffb0b52258  (/lib/aarch64-linux-gnu/libc.so.6+0x22258) (BuildId: 45918bc10b33fd96afc550c98de062dccdf44328)
    #5 0xffffb0b52338 in __libc_start_main (/lib/aarch64-linux-gnu/libc.so.6+0x22338) (BuildId: 45918bc10b33fd96afc550c98de062dccdf44328)
    #6 0xaaaad71184ec in _start (/root/tmp/whois-5.6.6/whois+0x684ec) (BuildId: 048182cc63bccdd6dc2104f1b7d5849c31eafe78)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/root/tmp/whois-5.6.6/whois+0x8ddf4) (BuildId: 048182cc63bccdd6dc2104f1b7d5849c31eafe78) in vsprintf
Shadow bytes around the buggy address:
  0x501ffffffe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x501fffffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x501fffffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x502000000000: fa fa 06 fa fa fa fd fd fa fa fd fd fa fa fd fd
  0x502000000080: fa fa fd fa fa fa fd fa fa fa fd fd fa fa 02 fa
=>0x502000000100: fa fa 02 fa fa fa 00 00[fa]fa fa fa fa fa fa fa
  0x502000000180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x502000000200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x502000000280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x502000000300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x502000000380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

convert_teredo accepts a and b larger than 16 bits

whois/whois.c

Lines 1433 to 1439 in 1024386

if (sscanf(s, "2001:%*[^:]:%*[^:]:%*[^:]:%*[^:]:%*[^:]:%x:%x", &a, &b) != 2)
return strdup("0.0.0.0");
a ^= 0xffff;
b ^= 0xffff;
new = malloc(sizeof("255.255.255.255"));
sprintf(new, "%u.%u.%u.%u", a >> 8, a & 0xff, b >> 8, b & 0xff);

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions