-
Notifications
You must be signed in to change notification settings - Fork 423
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SEGV in coap_handle_request_put_block function at src/coap_block.c #1509
Comments
Thanks for your work in checking this out. It appears that the version of code you are using for doing the fuzzing is commit aac5de9, not commit c2b34da as indicated by the libcoap configuration summary. There are the following updates after the version you are using
#1483 (4851806 scan-build: CI Fail if scan-build warnings) has a fix to It may be that you need to run the server application using |
Thanks for the fix, I fuzzed the latest version for 20h and this bug no longer exists. |
That is great - thanks for the feedback and doing the testing. I will close this off now. |
Environment
libcoap Configuration Summary
libcoap package version : "4.3.5rc3"
libcoap package source : "v4.3.5-rc3-8-gc2b34daa"
libcoap API version : "3"
libcoap ABI version : "3.1.2"
libcoap libtool SO version : "4.2.1"
libcoap DTLS lib extn : "-gnutls"
host system : "x86_64-pc-linux-gnu"
build with server support : "yes"
build with client support : "yes"
build with proxy support : "yes"
build with IPv4 support : "yes"
build with IPv6 support : "yes"
build with Unix socket support : "yes"
build with TCP support : "yes"
build DTLS support : "yes"
--> GnuTLS around : "yes" (found GnuTLS 3.6.13)
GnuTLS_CFLAGS : "-I/usr/include/p11-kit-1"
GnuTLS_LIBS : "-lgnutls"
add default names : "yes"
build Observe Persist : "yes"
build using epoll : "yes"
enable small stack size : "no"
enable separate responses : "yes"
enable OSCORE support : "yes"
enable Q-Block support : "yes"
enable max logging level : "none"
enable thread safe code : "yes"
enable recursive lock check : "yes"
build doxygen pages : "no"
build man pages : "no"
build unit test binary : "no"
build examples : "yes"
install examples source : "yes"
build with gcov support : "no"
build shared library : "yes"
build static library : "yes"
Problem Description
I triggered a SEGV bug reported by AddressSanitizer when fuzzing libcoap for more than 13 hours. The bug occurs due to a segmentation fault when the function coap_handle_request_put_block in coap_block.c attempts to access a memory address that is close to null, indicating a likely null pointer dereference or an attempt to read memory from an uninitialized or invalid pointer during the handling of a PUT request with block-wise transfer.
Expected Behavior
The expected behavior is that the coap_handle_request_put_block function should correctly handle the PUT request with block-wise transfer in the CoAP protocol without attempting to access invalid memory. The function should ensure that all pointers are properly initialized and valid before dereferencing them, allowing the request to be processed without causing a segmentation fault, leading to stable and correct execution of the CoAP server.
Actual Behavior
The actual behavior is that the coap_handle_request_put_block function in the CoAP server attempts to access an invalid memory address near the null pointer, leading to a segmentation fault. This results in the program crashing during the handling of a PUT request with block-wise transfer, instead of processing the request as expected. The AddressSanitizer tool detects this memory access violation and terminates the program, highlighting a wrong memory handling within the function.
Steps to reproduce
I'm sorry that I can't guarantee the success of the reproduction, because I used tools to fuzz for more than 13 hours before triggering this bug. I have tried to send packets manually, but it turned out that a single round or several rounds of sending packets could not trigger this problem. I have conducted multiple experiments, and it took an average of 9 hours of continuous fuzzing to trigger this bug. Therefore, I apologize that I can only provide the compilation process and startup parameters without hexstreams here.
libcoap
project.libcoap
directory and clear any previous configurations:cd libcoap bash ./autogen.sh --clear
cd examples ./coap-server -A 127.0.0.1 -p 6999 -e -d 100 -v 9 -P coap://127.0.0.1:5999,proxy1 -L 3 -N -g 224.0.1.187 -X 64
Debug Logs
Here is the complete logs of server (too large): https://drive.google.com/file/d/1zPV8oewSj2FWAW905sbT-SJKj3NFJxEy/view?usp=sharing
Asan Report:
The text was updated successfully, but these errors were encountered: