wfelipe
Heap Buffer Overflow at dns_question_parse in /src/dns_protocol.c:89:18 and dns_request_parse in /src/dns_protocol.c:49:14
I triggered a heap-buffer-overflow bug reported by AddressSanitizer at dns_question_parse in /src/dns_protocol.c:89:18. The error occurs because the program attempts to read 1 byte beyond the allocated memory region. Specifically, the overflow happens at address 0x6040000000f5, which is the boundary of a 37-byte heap allocation ([0x6040000000d0, 0x6040000000f5)), made at line 49 of the dns_request_parse function in the same file. The backtrace shows the issue originates from dns_question_parse, called by dns_request_parse, then propagates through dns_loop and main. The root cause is likely improper bounds checking while parsing the DNS question. This overflow results in accessing unallocated memory, leading to program termination. Proper validation of memory boundaries in the parsing logic is necessary to resolve this issue.
Asan Report:
==3131609==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6040000000f5 at pc 0x0000004c4541 bp 0x7fff87604f80 sp 0x7fff87604f78
READ of size 1 at 0x6040000000f5 thread T0
#0 0x4c4540 in dns_question_parse /root/protocolFuzz/dns/simple-dns/src/dns_protocol.c:89:18
#1 0x4c4540 in dns_request_parse /root/protocolFuzz/dns/simple-dns/src/dns_protocol.c:56:3
#2 0x4c3894 in dns_loop /root/protocolFuzz/dns/simple-dns/src/server.c:89:3
#3 0x4c3b5b in main /root/protocolFuzz/dns/simple-dns/src/simple-dns.c:43:2
#4 0x7f41380c7082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/../csu/libc-start.c:308:16
#5 0x41b3dd in _start (/root/protocolFuzz/dns/simple-dns/src/simple-dns+0x41b3dd)
0x6040000000f5 is located 0 bytes to the right of 37-byte region [0x6040000000d0,0x6040000000f5)
allocated by thread T0 here:
#0 0x493b1d in malloc (/root/protocolFuzz/dns/simple-dns/src/simple-dns+0x493b1d)
#1 0x4c41a3 in dns_request_parse /root/protocolFuzz/dns/simple-dns/src/dns_protocol.c:49:14
SUMMARY: AddressSanitizer: heap-buffer-overflow /root/protocolFuzz/dns/simple-dns/src/dns_protocol.c:89:18 in dns_question_parse
Shadow bytes around the buggy address:
0x0c087fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c087fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c087fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c087fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c087fff8000: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 07
=>0x0c087fff8010: fa fa fd fd fd fd fd fa fa fa 00 00 00 00[05]fa
0x0c087fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3131609==ABORTING
