Actions
Bug #4644
closedheap-buffer-overflow on OM2k bring-up with DAHDI
Start date:
07/03/2020
Due date:
% Done:
90%
Spec Reference:
Description
when trying to bring up an RBS2308 with address sanitizer on current osmo-bsc 1.6.0.166-b8425 + libosmo-abis 0.8.0.34.3616, I get the following
<0004> bts_ericsson_rbs2000.c:125 inp_sig_cb(): Input signal 'LINE-INIT' received
<0014> input/lapd.c:248 (0:1-T62-S62): LAPD Allocating SAP for SAPI=62 / TEI=62 (dl=0x615000001780, sap=0x615000001760)
<0014> input/lapd.c:258 (0:1-T62-S62): k=1 N200=50 N201=260 T200=0.300000 T203=10.0
<0014> input/lapd.c:521 (0:1-T62-S62): LAPD DL-ESTABLISH request TEI=62 SAPI=62
=================================================================
==20115==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000004de0 at pc 0x7f237ad181e5 bp 0x7ffdd5e42f80 sp 0x7ffdd5e42730
READ of size 5 at 0x612000004de0 thread T0
#0 0x7f237ad181e4 (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x951e4)
#1 0x7f237ab6da5d in dahdi_write_msg input/dahdi.c:227
#2 0x7f237ab68a6e in send_ph_data_req input/lapd.c:634
#3 0x7f237abf1c8e in lapd_est_req src/gsm/lapd_core.c:1727
#4 0x7f237ab697dd in lapd_sap_start input/lapd.c:529
#5 0x5634391cc644 in start_sabm_in_line /root/git/osmo-bsc/src/osmo-bsc/bts_ericsson_rbs2000.c:87
#6 0x5634391cd46e in inp_sig_cb /root/git/osmo-bsc/src/osmo-bsc/bts_ericsson_rbs2000.c:159
#7 0x5634391cd46e in inp_sig_cb /root/git/osmo-bsc/src/osmo-bsc/bts_ericsson_rbs2000.c:115
#8 0x7f237aba00bb in osmo_signal_dispatch src/signal.c:118
#9 0x7f237ab61118 in e1inp_line_update src/e1_input.c:878
#10 0x5634391f62c4 in e1_reconfig_bts /root/git/osmo-bsc/src/osmo-bsc/e1_config.c:205
#11 0x5634390582ea in bsc_network_configure /root/git/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:538
#12 0x5634390582ea in main /root/git/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:868
#13 0x7f2379e2309a in __libc_start_main ../csu/libc-start.c:308
#14 0x56343905a2f9 in _start (/root/git/osmo-bsc/src/osmo-bsc/osmo-bsc+0x5322f9)
0x612000004de0 is located 0 bytes to the right of 288-byte region [0x612000004cc0,0x612000004de0)
allocated by thread T0 here:
#0 0x7f237ad6c330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
#1 0x7f237ac4fe80 in talloc_named_const (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x8e80)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x951e4)
Shadow bytes around the buggy address:
0x0c247fff8960: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c247fff8970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c247fff8980: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa
0x0c247fff8990: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c247fff89a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c247fff89b0: 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa
0x0c247fff89c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c247fff89d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c247fff89e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 fa
0x0c247fff89f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff8a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==20115==ABORTING
Actions
