Bug #2151: FaceManager/TestFireInterestFilter heap buffer overflow - NFD - NDN project issue tracking system

Actions

Copy link

Bug #2151

closed

FaceManager/TestFireInterestFilter heap buffer overflow

Added by Davide Pesavento about 10 years ago. Updated about 9 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Category:

Management

Target version:

v0.3

Start date:

Due date:

% Done:

100%

Estimated time:

Description

On a 64-bit Ubuntu 14.10 virtual machine, while running NFD unit tests.

==22476==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000105ec8 at pc 0x9df843 bp 0x7fff1d354ae0 sp 0x7fff1d354ad0
READ of size 8 at 0x612000105ec8 thread T0
    #0 0x9df842 in std::__shared_ptr<ndn::Buffer const, (__gnu_cxx::_Lock_policy)2>::operator bool() const /usr/include/c++/4.9/bits/shared_ptr_base.h:1056
    #1 0x9df842 in ndn::Block::hasValue() const ../src/encoding/block.hpp:329
    #2 0x9df842 in ndn::Block::value_size() const ../src/encoding/block.hpp:473
    #3 0x9df842 in ndn::name::Component::compare(ndn::name::Component const&) const ../src/name-component.cpp:314
    #4 0x7dfc8c in ndn::name::Component::operator<(ndn::name::Component const&) const /usr/local/include/ndn-cxx/name-component.hpp:550
    #5 0x7dfc8c in std::less<ndn::name::Component>::operator()(ndn::name::Component const&, ndn::name::Component const&) const /usr/include/c++/4.9/bits/stl_function.h:371
    #6 0x7dfc8c in std::_Rb_tree<ndn::name::Component, std::pair<ndn::name::Component const, std::function<void (nfd::FaceManager*, ndn::Interest const&)> >, std::_Select1st<std::pair<ndn::name::Component const, std::function<void (nfd::FaceManager*, ndn::Interest const&)> > >, std::less<ndn::name::Component>, std::allocator<std::pair<ndn::name::Component const, std::function<void (nfd::FaceManager*, ndn::Interest const&)> > > >::_M_lower_bound(std::_Rb_tree_node<std::pair<ndn::name::Component const, std::function<void (nfd::FaceManager*, ndn::Interest const&)> > > const*, std::_Rb_tree_node<std::pair<ndn::name::Component const, std::function<void (nfd::FaceManager*, ndn::Interest const&)> > > const*, ndn::name::Component const&) const /usr/include/c++/4.9/bits/stl_tree.h:1277
    #7 0x7dfd13 in std::_Rb_tree<ndn::name::Component, std::pair<ndn::name::Component const, std::function<void (nfd::FaceManager*, ndn::Interest const&)> >, std::_Select1st<std::pair<ndn::name::Component const, std::function<void (nfd::FaceManager*, ndn::Interest const&)> > >, std::less<ndn::name::Component>, std::allocator<std::pair<ndn::name::Component const, std::function<void (nfd::FaceManager*, ndn::Interest const&)> > > >::find(ndn::name::Component const&) const /usr/include/c++/4.9/bits/stl_tree.h:1926
    #8 0x7ccf42 in std::map<ndn::name::Component, std::function<void (nfd::FaceManager*, ndn::Interest const&)>, std::less<ndn::name::Component>, std::allocator<std::pair<ndn::name::Component const, std::function<void (nfd::FaceManager*, ndn::Interest const&)> > > >::find(ndn::name::Component const&) const /usr/include/c++/4.9/bits/stl_map.h:875
    #9 0x7ccf42 in nfd::FaceManager::onFaceRequest(ndn::Interest const&) ../daemon/mgmt/face-manager.cpp:868
    #10 0x7d7d4b in boost::_mfi::mf1<void, nfd::FaceManager, ndn::Interest const&>::operator()(nfd::FaceManager*, ndn::Interest const&) const /usr/include/boost/bind/mem_fn_template.hpp:165
    #11 0x7d7d4b in operator()<boost::_mfi::mf1<void, nfd::FaceManager, const ndn::Interest&>, boost::_bi::list2<const ndn::Name&, const ndn::Interest&> > /usr/include/boost/bind/bind.hpp:313
    #12 0x7d7d4b in operator()<ndn::Name, ndn::Interest> /usr/include/boost/bind/bind_template.hpp:102
    #13 0x7d7d4b in std::_Function_handler<void (ndn::Name const&, ndn::Interest const&), boost::_bi::bind_t<void, boost::_mfi::mf1<void, nfd::FaceManager, ndn::Interest const&>, boost::_bi::list2<boost::_bi::value<nfd::FaceManager*>, boost::arg<2> > > >::_M_invoke(std::_Any_data const&, ndn::Name const&, ndn::Interest const&) /usr/include/c++/4.9/functional:2039
    #14 0x7ff6d7 in std::function<void (ndn::Name const&, ndn::Interest const&)>::operator()(ndn::Name const&, ndn::Interest const&) const /usr/include/c++/4.9/functional:2439
    #15 0x7fe714 in nfd::InternalFace::processInterest(std::shared_ptr<ndn::Interest const> const&) ../daemon/mgmt/internal-face.cpp:97
    #16 0x8009c5 in operator()<std::shared_ptr<const ndn::Interest>&, void> /usr/include/c++/4.9/functional:569
    #17 0x8009c5 in __call<void, 0ul, 1ul> /usr/include/c++/4.9/functional:1264
    #18 0x8009c5 in operator()<, void> /usr/include/c++/4.9/functional:1323
    #19 0x8009c5 in asio_handler_invoke<std::_Bind<std::_Mem_fn<void (nfd::InternalFace::*)(const std::shared_ptr<const ndn::Interest>&)>(nfd::InternalFace*, std::shared_ptr<const ndn::Interest>)> > /usr/include/boost/asio/handler_invoke_hook.hpp:69
    #20 0x8009c5 in invoke<std::_Bind<std::_Mem_fn<void (nfd::InternalFace::*)(const std::shared_ptr<const ndn::Interest>&)>(nfd::InternalFace*, std::shared_ptr<const ndn::Interest>)>, std::_Bind<std::_Mem_fn<void (nfd::InternalFace::*)(const std::shared_ptr<const ndn::Interest>&)>(nfd::InternalFace*, std::shared_ptr<const ndn::Interest>)> > /usr/include/boost/asio/detail/handler_invoke_helpers.hpp:37
    #21 0x8009c5 in boost::asio::detail::completion_handler<std::_Bind<std::_Mem_fn<void (nfd::InternalFace::*)(std::shared_ptr<ndn::Interest const> const&)> (nfd::InternalFace*, std::shared_ptr<ndn::Interest const>)> >::do_complete(boost::asio::detail::task_io_service*, boost::asio::detail::task_io_service_operation*, boost::system::error_code const&, unsigned long) /usr/include/boost/asio/detail/completion_handler.hpp:68
    #22 0x59030f in boost::asio::detail::task_io_service_operation::complete(boost::asio::detail::task_io_service&, boost::system::error_code const&, unsigned long) /usr/include/boost/asio/detail/task_io_service_operation.hpp:38
    #23 0x59030f in boost::asio::detail::task_io_service::do_run_one(boost::asio::detail::scoped_lock<boost::asio::detail::posix_mutex>&, boost::asio::detail::task_io_service_thread_info&, boost::system::error_code const&) /usr/include/boost/asio/detail/impl/task_io_service.ipp:384
    #24 0x59030f in boost::asio::detail::task_io_service::run_one(boost::system::error_code&) /usr/include/boost/asio/detail/impl/task_io_service.ipp:177
    #25 0x571055 in boost::asio::io_service::run_one() /usr/include/boost/asio/impl/io_service.ipp:72
    #26 0x571055 in nfd::tests::MgmtFaceManager::TestFireInterestFilter::test_method() ../tests/daemon/mgmt/face-manager.cpp:821
    #27 0x57ec3e in TestFireInterestFilter_invoker ../tests/daemon/mgmt/face-manager.cpp:812
    #28 0x4401f8 in invoke<void (*)()> /usr/include/boost/test/utils/callback.hpp:56
    #29 0x4401f8 in boost::unit_test::ut_detail::callback0_impl_t<boost::unit_test::ut_detail::unused, void (*)()>::invoke() /usr/include/boost/test/utils/callback.hpp:89
    #30 0x7f7d38f415a0 (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x685a0)
    #31 0x7f7d38f1c865 in boost::execution_monitor::catch_signals(boost::unit_test::callback0<int> const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x43865)
    #32 0x7f7d38f1d0a2 in boost::execution_monitor::execute(boost::unit_test::callback0<int> const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x440a2)
    #33 0x7f7d38f416a1 in boost::unit_test::unit_test_monitor_t::execute_and_translate(boost::unit_test::test_case const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x686a1)
    #34 0x7f7d38f2b2f3 in boost::unit_test::framework_impl::visit(boost::unit_test::test_case const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x522f3)
    #35 0x7f7d38f5a2d2 in boost::unit_test::traverse_test_tree(boost::unit_test::test_suite const&, boost::unit_test::test_tree_visitor&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x812d2)
    #36 0x7f7d38f5a2d2 in boost::unit_test::traverse_test_tree(boost::unit_test::test_suite const&, boost::unit_test::test_tree_visitor&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x812d2)
    #37 0x7f7d38f26819 in boost::unit_test::framework::run(unsigned long, bool) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x4d819)
    #38 0x7f7d38f3f283 in boost::unit_test::unit_test_main(bool (*)(), int, char**) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x66283)
    #39 0x8db84f in main /usr/include/boost/test/unit_test.hpp:59
    #40 0x7f7d370cdec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #41 0x43b4a8 (/home/davide/NFD/build/unit-tests-daemon+0x43b4a8)

0x612000105ec8 is located 0 bytes to the right of 264-byte region [0x612000105dc0,0x612000105ec8)
allocated by thread T0 here:
    #0 0x7f7d395e013f in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5813f)
    #1 0x443c69 in __gnu_cxx::new_allocator<ndn::Block>::allocate(unsigned long, void const*) /usr/include/c++/4.9/ext/new_allocator.h:104
    #2 0x443c69 in std::allocator_traits<std::allocator<ndn::Block> >::allocate(std::allocator<ndn::Block>&, unsigned long) /usr/include/c++/4.9/bits/alloc_traits.h:357
    #3 0x443c69 in std::_Vector_base<ndn::Block, std::allocator<ndn::Block> >::_M_allocate(unsigned long) /usr/include/c++/4.9/bits/stl_vector.h:170
    #4 0x443c69 in std::_Vector_base<ndn::Block, std::allocator<ndn::Block> >::_M_create_storage(unsigned long) /usr/include/c++/4.9/bits/stl_vector.h:185
    #5 0x443c69 in _Vector_base /usr/include/c++/4.9/bits/stl_vector.h:136
    #6 0x443c69 in vector /usr/include/c++/4.9/bits/stl_vector.h:320
    #7 0x443c69 in ndn::Block::Block(ndn::Block const&) ../src/security/../encoding/block.hpp:46

SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/include/c++/4.9/bits/shared_ptr_base.h:1056 std::__shared_ptr<ndn::Buffer const, (__gnu_cxx::_Lock_policy)2>::operator bool() const
Shadow bytes around the buggy address:
  0x0c2480018b80: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c2480018b90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2480018ba0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x0c2480018bb0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c2480018bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2480018bd0: 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa
  0x0c2480018be0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c2480018bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2480018c00: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
  0x0c2480018c10: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c2480018c20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==22476==ABORTING

ndn-cxx is at 4e9b069bb844545d7e352b98821c5a11520f1b58. NFD is at 56a21bf34a7dacbc65afd347e0049efe628764b1. I'm not sure if the bug is in ndn-cxx or in NFD.

Related issues 1 (0 open — 1 closed)

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

NFD

Tags

Bug #2151

FaceManager/TestFireInterestFilter heap buffer overflow

Updated by Alex Afanasyev about 10 years ago

Updated by Davide Pesavento about 10 years ago

Updated by Junxiao Shi almost 10 years ago

Updated by Anonymous almost 10 years ago

Updated by Anonymous almost 10 years ago

Updated by Junxiao Shi almost 10 years ago

Updated by Davide Pesavento over 9 years ago

Updated by Davide Pesavento about 9 years ago

Updated by Davide Pesavento about 9 years ago