eggdrop icon indicating copy to clipboard operation
eggdrop copied to clipboard
verified publisher icon eggheads

strcpy-param-overlap in filesys.c

Open michaelortmann opened this issue 4 years ago • 0 comments

There are some bad strcpy()s in filesys.c, that overlap src and dst, which is undefined. Its complex code, so i opened this issue instead of delivering a PR instantly.

https://github.com/eggheads/eggdrop/blob/155f7a3c352f80f93db12bd78db7a9960863ae08/src/mod/filesys.mod/filesys.c#L236

https://github.com/eggheads/eggdrop/blob/155f7a3c352f80f93db12bd78db7a9960863ae08/src/mod/filesys.mod/filesys.c#L221

.files
[02:02:28] tcl: builtin dcc call: *dcc:files -HQ 1 
[02:02:28] #-HQ# files
Entering file system...
*** -HQ has left: file system

Welcome to the BotA file server
All file transfers will be sent to '-HQ' by default.
(You can specify an alternate nick with the 'get' command.)
Type 'help' for help.
Current directory: /

.files
=================================================================
==403976==ERROR: AddressSanitizer: strcpy-param-overlap: memory ranges [0x7ffcb9e76710,0x7ffcb9e76717) and [0x7ffcb9e76710, 0x7ffcb9e76717) overlap
    #0 0x7fd21181ad37 in __interceptor_strcpy /build/gcc/src/gcc/libsanitizer/asan/asan_interceptors.cpp:436
    #1 0x7fd20ba6e93d in strcpy /usr/include/bits/string_fortified.h:90
    #2 0x7fd20ba6e93d in dcc_files .././filesys.mod/filesys.c:236
    #3 0x55bce4a0c38b in mainloop main.c:868
    #4 0x55bce4a0f46e in main main.c:1296
    #5 0x7fd2105e8171 in __libc_start_main (/usr/lib/libc.so.6+0x28171)
    #6 0x55bce495034d in _start (/home/michael/eggdrop/eggdrop-1.9.0+0x20534d)

Address 0x7ffcb9e76710 is located in stack of thread T0 at offset 384 in frame
    #0 0x55bce4a0b865 in mainloop main.c:804

  This frame has 3 object(s):
    [48, 52) 'i' (line 806)
    [64, 320) 'name' (line 929)
    [384, 9086) 'buf' (line 807) <== Memory access at offset 384 is inside this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
Address 0x7ffcb9e76710 is located in stack of thread T0 at offset 384 in frame
    #0 0x55bce4a0b865 in mainloop main.c:804

  This frame has 3 object(s):
    [48, 52) 'i' (line 806)
    [64, 320) 'name' (line 929)
    [384, 9086) 'buf' (line 807) <== Memory access at offset 384 is inside this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: strcpy-param-overlap /build/gcc/src/gcc/libsanitizer/asan/asan_interceptors.cpp:436 in __interceptor_strcpy
==403976==ABORTING

michaelortmann avatar Jan 30 '21 01:01 michaelortmann