Closed
Description
While working on PR #1 I found this:
bash-3.2$ make
cmake --build /Users/clausklein/Workspace/cpp/.build-netkit-tftp-Debug
ninja: no work to do.
bash-3.2$ cd ../.build-netkit-tftp-Debug/
bash-3.2$ bin/option_test
option_test(12295,0x7ff8517d48c0) malloc: nano zone abandoned due to inability to preallocate reserved vm space.
/tmp/tftpboot/testfile.dat segsize:1047 tsize:12345678910 timeout: 33
/tmp/tftpboot/testfile.dat segsize:32768 tsize:0 timeout: 2000
/tmp/tftpboot/testfile.dat segsize:1024 tsize:0 timeout: 10
/tmp/tftpboot/minimal.dat segsize:65464 tsize:0 timeout: 1000
=================================================================
==12295==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000001fa1 at pc 0x00010cdbb81b bp 0x7ff7b3276750 sp 0x7ff7b3276748
READ of size 1 at 0x603000001fa1 thread T0
#0 0x10cdbb81a in tftpd::tftp(std::__1::vector<char, std::__1::allocator<char> > const&, __sFILE*&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&, std::__1::vector<char, std::__1::allocator<char> >&) tftpd_utils.cpp:136
#1 0x10cc92dc0 in main option_test.cpp:112
#2 0x7ff80db7130f (<unknown module>)
0x603000001fa1 is located 0 bytes to the right of 17-byte region [0x603000001f90,0x603000001fa1)
allocated by thread T0 here:
#0 0x10d60e20d in wrap__Znwm+0x7d (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x5c20d)
#1 0x10ccab99e in void* std::__1::__libcpp_operator_new<unsigned long>(unsigned long) new:235
#2 0x10ccab738 in std::__1::__libcpp_allocate(unsigned long, unsigned long) new:261
#3 0x10ccab5d5 in std::__1::allocator<char>::allocate(unsigned long) allocator.h:108
#4 0x10ccaaf06 in std::__1::allocator_traits<std::__1::allocator<char> >::allocate(std::__1::allocator<char>&, unsigned long) allocator_traits.h:262
#5 0x10ccad6f8 in std::__1::vector<char, std::__1::allocator<char> >::__vallocate(unsigned long) vector:1015
#6 0x10ccad4a2 in std::__1::vector<char, std::__1::allocator<char> >::vector<char const*>(char const*, std::__1::enable_if<(__is_cpp17_forward_iterator<char const*>::value) && (is_constructible<char, std::__1::iterator_traits<char const*>::reference>::value), char const*>::type) vector:1245
#7 0x10cc937fc in std::__1::vector<char, std::__1::allocator<char> >::vector<char const*>(char const*, std::__1::enable_if<(__is_cpp17_forward_iterator<char const*>::value) && (is_constructible<char, std::__1::iterator_traits<char const*>::reference>::value), char const*>::type) vector:1238
#8 0x10cc92d9a in main option_test.cpp:112
#9 0x7ff80db7130f (<unknown module>)
SUMMARY: AddressSanitizer: heap-buffer-overflow tftpd_utils.cpp:136 in tftpd::tftp(std::__1::vector<char, std::__1::allocator<char> > const&, __sFILE*&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&, std::__1::vector<char, std::__1::allocator<char> >&)
Shadow bytes around the buggy address:
0x1c06000003a0: fd fd fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
0x1c06000003b0: 00 00 00 00 fa fa fd fd fd fd fa fa 00 00 00 02
0x1c06000003c0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
0x1c06000003d0: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
0x1c06000003e0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fa
=>0x1c06000003f0: fa fa 00 00[01]fa fa fa fa fa fa fa fa fa fa fa
0x1c0600000400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0600000410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0600000420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0600000430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0600000440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==12295==ABORTING
Abort trap: 6
bash-3.2$
Activity