Skip to content

[BUG] Stack-buffer overflow conf.c #474

New issue
New issue
Closed
Closed
[BUG] Stack-buffer overflow conf.c#474
@anon767

Description

@anon767
anon767
opened on Jan 16, 2023

Tinyproxy version

Git Master

Issue

I found a stack overflow using a static analyzer and verified it using a Fuzzer with ASAN.

The buffer q in conf.c line 420 may overflow in line 430.
To reproduce use following input:

p'

Full ASAN output:

READ of size 1 at 0x7ffe2c49c560 thread T0
    #0 0x4e25d6 in config_parse /home/tom/Projects/tinyproxy/src/conf.c:430:24
    #1 0x4e1ee8 in load_config_file /home/tom/Projects/tinyproxy/src/conf.c:459:13
    #2 0x4e1615 in reload_config_file /home/tom/Projects/tinyproxy/src/conf.c:499:15
    #3 0x511f46 in reload_config /home/tom/Projects/tinyproxy/src/main.c:264:15
    #4 0x512419 in main /home/tom/Projects/tinyproxy/src/main.c:335:13
    #5 0x7f71e1629209  (/lib/x86_64-linux-gnu/libc.so.6+0x29209)
    #6 0x7f71e16292bb in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x292bb)
    #7 0x41f530 in _start (/usr/local/bin/tinyproxy+0x41f530)

Address 0x7ffe2c49c560 is located in stack of thread T0 at offset 2080 in frame
    #0 0x4e1f8f in config_parse /home/tom/Projects/tinyproxy/src/conf.c:419

  This frame has 1 object(s):
    [32, 2080) 'buffer' (line 420) <== Memory access at offset 2080 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/tom/Projects/tinyproxy/src/conf.c:430:24 in config_parse
Shadow bytes around the buggy address:
  0x10004588b850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004588b860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004588b870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004588b880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004588b890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10004588b8a0: 00 00 00 00 00 00 00 00 00 00 00 00[f3]f3 f3 f3
  0x10004588b8b0: f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00
  0x10004588b8c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004588b8d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004588b8e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004588b8f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==582418==ABORTING

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions