heap-buffer-overflow (OOB read) in msgData
Affected: latest daemon master & earlier. Built with -O0 -g -fsanitize=address
How to reproduce: Don't know, crash happened in background
ASAN stacktrace:
[1530642849.947|14374|ringaccount.cpp :3274 ] [Account 9fba7138a1fc3f51] found 1 devices for dfbf26a7e179df1c820b6228337b87387aa18461
[1530642850.099|14374|ringaccount.cpp :2014 ] Buddy ded6a9d278d05adac3265a0a69d07bd264e0861a online: (device: 8cab8a934b6fa5965e7c6924afb9a3487751045a)
[1530642850.099|14374|ringaccount.cpp :3274 ] [Account 9fba7138a1fc3f51] found 1 devices for ded6a9d278d05adac3265a0a69d07bd264e0861a
[1530643018.062|20911|p2p.cpp :316 ] [Account 9fba7138a1fc3f51] [CNX] request connection to 59e730f3484cd99742ad4a98cd3f55fc93070d92
[1530643038.063|20911|p2p.cpp :273 ] [CNX] exception during client processing: no response from DHT to E2E request
=================================================================
==14374==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000280378 at pc 0x7fed8da2f0b9 bp 0x7fed820de900 sp 0x7fed820de8f0
READ of size 20 at 0x603000280378 thread T2
#0 0x7fed8da2f0b8 in msgData<0ul, (ring::<unnamed>::CtrlMsgType)1, std::tuple<ring::(anonymous namespace)::CtrlMsg<(ring::<unnamed>::CtrlMsgType)0, void>, ring::(anonymous namespace)::CtrlMsg<(ring::<unnamed>::CtrlMsgType)1, std::tuple<dht::Hash<20ul>, long unsigned int> >, ring::(anonymous namespace)::CtrlMsg<(ring::<unnamed>::CtrlMsgType)2, std::tuple<ring::IpAddr> >, ring::(anonymous namespace)::CtrlMsg<(ring::<unnamed>::CtrlMsgType)3, std::tuple<ring::IpAddr> >, ring::(anonymous namespace)::CtrlMsg<(ring::<unnamed>::CtrlMsgType)4, std::tuple<ring::(anonymous namespace)::PeerConnectionMsg> >, ring::(anonymous namespace)::CtrlMsg<(ring::<unnamed>::CtrlMsgType)5, std::tuple<ring::(anonymous namespace)::PeerConnectionMsg> >, ring::(anonymous namespace)::CtrlMsg<(ring::<unnamed>::CtrlMsgType)6, std::tuple<dht::Hash<20ul>, long unsigned int, std::shared_ptr<dht::crypto::Certificate>, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::function<void(ring::PeerConnection*)> > > >, ring::(anonymous namespace)::CtrlMsgBase> /home/hlefeuvre/Development/ring-daemon/src/ringdht/p2p.cpp:161
#1 0x7fed8da2f108 in ctrlMsgData<(ring::<unnamed>::CtrlMsgType)1, 0ul, ring::(anonymous namespace)::CtrlMsgBase> /home/hlefeuvre/Development/ring-daemon/src/ringdht/p2p.cpp:186
#2 0x7fed8da2fcca in ring::DhtPeerConnector::Impl::eventLoop() /home/hlefeuvre/Development/ring-daemon/src/ringdht/p2p.cpp:637
#3 0x7fed8da416ff in ring::DhtPeerConnector::Impl::Impl(ring::RingAccount&)::{lambda()#1}::operator()() const /home/hlefeuvre/Development/ring-daemon/src/ringdht/p2p.cpp:200
#4 0x7fed8da5de79 in void std::_Bind_simple<ring::DhtPeerConnector::Impl::Impl(ring::RingAccount&)::{lambda()#1} ()>::_M_invoke<>(std::_Index_tuple<>) /usr/include/c++/5/functional:1531
#5 0x7fed8da5d973 in std::_Bind_simple<ring::DhtPeerConnector::Impl::Impl(ring::RingAccount&)::{lambda()#1} ()>::operator()() /usr/include/c++/5/functional:1520
#6 0x7fed8da5cf58 in std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<void>, std::__future_base::_Result_base::_Deleter>, std::_Bind_simple<ring::DhtPeerConnector::Impl::Impl(ring::RingAccount&)::{lambda()#1} ()>, void>::operator()() const /usr/include/c++/5/future:1342
#7 0x7fed8da5c619 in std::_Function_handler<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> (), std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<void>, std::__future_base::_Result_base::_Deleter>, std::_Bind_simple<ring::DhtPeerConnector::Impl::Impl(ring::RingAccount&)::{lambda()#1} ()>, void> >::_M_invoke(std::_Any_data const&) /usr/include/c++/5/functional:1857
#8 0x7fed8d71c1d7 in std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>::operator()() const /usr/include/c++/5/functional:2267
#9 0x7fed8d71a48c in std::__future_base::_State_baseV2::_M_do_set(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*) /usr/include/c++/5/future:527
#10 0x7fed8d726e5a in void std::_Mem_fn_base<void (std::__future_base::_State_baseV2::*)(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*), true>::operator()<std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*, void>(std::__future_base::_State_baseV2*, std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*&&, bool*&&) const /usr/include/c++/5/functional:600
#11 0x7fed8d7258e6 in void std::_Bind_simple<std::_Mem_fn<void (std::__future_base::_State_baseV2::*)(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*)> (std::__future_base::_State_baseV2*, std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*)>::_M_invoke<0ul, 1ul, 2ul>(std::_Index_tuple<0ul, 1ul, 2ul>) /usr/include/c++/5/functional:1531
#12 0x7fed8d722fdd in std::_Bind_simple<std::_Mem_fn<void (std::__future_base::_State_baseV2::*)(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*)> (std::__future_base::_State_baseV2*, std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*)>::operator()() /usr/include/c++/5/functional:1520
#13 0x7fed8d71f40e in void std::__once_call_impl<std::_Bind_simple<std::_Mem_fn<void (std::__future_base::_State_baseV2::*)(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*)> (std::__future_base::_State_baseV2*, std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*)> >() /usr/include/c++/5/mutex:706
#14 0x7fed8c4a8a98 in __pthread_once_slow (/lib/x86_64-linux-gnu/libpthread.so.0+0xea98)
#15 0x7fed8d70bad9 in __gthread_once /usr/include/x86_64-linux-gnu/c++/5/bits/gthr-default.h:699
#16 0x7fed8d71bfc6 in void std::call_once<void (std::__future_base::_State_baseV2::*)(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*), std::__future_base::_State_baseV2*, std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*>(std::once_flag&, void (std::__future_base::_State_baseV2::*&&)(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*), std::__future_base::_State_baseV2*&&, std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*&&, bool*&&) /usr/include/c++/5/mutex:738
#17 0x7fed8d719ec3 in std::__future_base::_State_baseV2::_M_set_result(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>, bool) /usr/include/c++/5/future:387
#18 0x7fed8da5b161 in std::__future_base::_Async_state_impl<std::_Bind_simple<ring::DhtPeerConnector::Impl::Impl(ring::RingAccount&)::{lambda()#1} ()>, void>::_Async_state_impl(ring::DhtPeerConnector::Impl::Impl(ring::RingAccount&)::{lambda()#1} (&&)())::{lambda()#1}::operator()() const /usr/include/c++/5/future:1658
#19 0x7fed8da61805 in void std::_Bind_simple<std::__future_base::_Async_state_impl<std::_Bind_simple<ring::DhtPeerConnector::Impl::Impl(ring::RingAccount&)::{lambda()#1} ()>, void>::_Async_state_impl(ring::DhtPeerConnector::Impl::Impl(ring::RingAccount&)::{lambda()#1} (&&)())::{lambda()#1} ()>::_M_invoke<>(std::_Index_tuple<>) /usr/include/c++/5/functional:1531
#20 0x7fed8da61505 in std::_Bind_simple<std::__future_base::_Async_state_impl<std::_Bind_simple<ring::DhtPeerConnector::Impl::Impl(ring::RingAccount&)::{lambda()#1} ()>, void>::_Async_state_impl(ring::DhtPeerConnector::Impl::Impl(ring::RingAccount&)::{lambda()#1} (&&)())::{lambda()#1} ()>::operator()() /usr/include/c++/5/functional:1520
#21 0x7fed8da6019b in std::thread::_Impl<std::_Bind_simple<std::__future_base::_Async_state_impl<std::_Bind_simple<ring::DhtPeerConnector::Impl::Impl(ring::RingAccount&)::{lambda()#1} ()>, void>::_Async_state_impl(ring::DhtPeerConnector::Impl::Impl(ring::RingAccount&)::{lambda()#1} (&&)())::{lambda()#1} ()> >::_M_run() /usr/include/c++/5/thread:115
#22 0x7fed8c985c7f (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xb8c7f)
#23 0x7fed8c4a16b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
#24 0x7fed8c1d741c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)
0x603000280380 is located 0 bytes to the right of 32-byte region [0x603000280360,0x603000280380)
allocated by thread T445 here:
#0 0x7fed8f490532 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99532)
#1 0x7fed8da32682 in make_unique<ring::(anonymous namespace)::CtrlMsg<(ring::<unnamed>::CtrlMsgType)1, std::tuple<dht::Hash<20ul> > >, const dht::Hash<20ul>&> /usr/include/c++/5/bits/unique_ptr.h:765
#2 0x7fed8da2a5ec in makeMsg<(ring::<unnamed>::CtrlMsgType)1, dht::Hash<20ul> > /home/hlefeuvre/Development/ring-daemon/src/ringdht/p2p.cpp:153
#3 0x7fed8da426b6 in ring::DhtPeerConnector::Impl::ClientConnector::cancel() /home/hlefeuvre/Development/ring-daemon/src/ringdht/p2p.cpp:299
#4 0x7fed8da41f47 in ring::DhtPeerConnector::Impl::ClientConnector::ClientConnector(ring::DhtPeerConnector::Impl&, dht::Hash<20ul> const&, std::shared_ptr<dht::crypto::Certificate> const&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::function<void (ring::PeerConnection*)> const&)::{lambda()#1}::operator()() const /home/hlefeuvre/Development/ring-daemon/src/ringdht/p2p.cpp:274
#5 0x7fed8da5df37 in void std::_Bind_simple<ring::DhtPeerConnector::Impl::ClientConnector::ClientConnector(ring::DhtPeerConnector::Impl&, dht::Hash<20ul> const&, std::shared_ptr<dht::crypto::Certificate> const&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::function<void (ring::PeerConnection*)> const&)::{lambda()#1} ()>::_M_invoke<>(std::_Index_tuple<>) /usr/include/c++/5/functional:1531
#6 0x7fed8da5da9f in std::_Bind_simple<ring::DhtPeerConnector::Impl::ClientConnector::ClientConnector(ring::DhtPeerConnector::Impl&, dht::Hash<20ul> const&, std::shared_ptr<dht::crypto::Certificate> const&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::function<void (ring::PeerConnection*)> const&)::{lambda()#1} ()>::operator()() /usr/include/c++/5/functional:1520
#7 0x7fed8da5d43c in std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<void>, std::__future_base::_Result_base::_Deleter>, std::_Bind_simple<ring::DhtPeerConnector::Impl::ClientConnector::ClientConnector(ring::DhtPeerConnector::Impl&, dht::Hash<20ul> const&, std::shared_ptr<dht::crypto::Certificate> const&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::function<void (ring::PeerConnection*)> const&)::{lambda()#1} ()>, void>::operator()() const /usr/include/c++/5/future:1342
#8 0x7fed8da5ca2a in std::_Function_handler<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> (), std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<void>, std::__future_base::_Result_base::_Deleter>, std::_Bind_simple<ring::DhtPeerConnector::Impl::ClientConnector::ClientConnector(ring::DhtPeerConnector::Impl&, dht::Hash<20ul> const&, std::shared_ptr<dht::crypto::Certificate> const&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::function<void (ring::PeerConnection*)> const&)::{lambda()#1} ()>, void> >::_M_invoke(std::_Any_data const&) /usr/include/c++/5/functional:1857
#9 0x7fed8d71c1d7 in std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>::operator()() const /usr/include/c++/5/functional:2267
#10 0x7fed8d71a48c in std::__future_base::_State_baseV2::_M_do_set(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*) /usr/include/c++/5/future:527
#11 0x7fed8d726e5a in void std::_Mem_fn_base<void (std::__future_base::_State_baseV2::*)(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*), true>::operator()<std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*, void>(std::__future_base::_State_baseV2*, std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*&&, bool*&&) const /usr/include/c++/5/functional:600
#12 0x7fed8d7258e6 in void std::_Bind_simple<std::_Mem_fn<void (std::__future_base::_State_baseV2::*)(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*)> (std::__future_base::_State_baseV2*, std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*)>::_M_invoke<0ul, 1ul, 2ul>(std::_Index_tuple<0ul, 1ul, 2ul>) /usr/include/c++/5/functional:1531
#13 0x7fed8d722fdd in std::_Bind_simple<std::_Mem_fn<void (std::__future_base::_State_baseV2::*)(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*)> (std::__future_base::_State_baseV2*, std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*)>::operator()() /usr/include/c++/5/functional:1520
#14 0x7fed8d71f40e in void std::__once_call_impl<std::_Bind_simple<std::_Mem_fn<void (std::__future_base::_State_baseV2::*)(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*)> (std::__future_base::_State_baseV2*, std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*)> >() /usr/include/c++/5/mutex:706
#15 0x7fed8c4a8a98 in __pthread_once_slow (/lib/x86_64-linux-gnu/libpthread.so.0+0xea98)
Thread T2 created by T0 here:
#0 0x7fed8f42d253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
#1 0x7fed8c985dc2 in std::thread::_M_start_thread(std::shared_ptr<std::thread::_Impl_base>, void (*)()) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xb8dc2)
Thread T445 created by T2 here:
#0 0x7fed8f42d253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
#1 0x7fed8c985dc2 in std::thread::_M_start_thread(std::shared_ptr<std::thread::_Impl_base>, void (*)()) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xb8dc2)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hlefeuvre/Development/ring-daemon/src/ringdht/p2p.cpp:161 msgData<0ul, (ring::<unnamed>::CtrlMsgType)1, std::tuple<ring::(anonymous namespace)::CtrlMsg<(ring::<unnamed>::CtrlMsgType)0, void>, ring::(anonymous namespace)::CtrlMsg<(ring::<unnamed>::CtrlMsgType)1, std::tuple<dht::Hash<20ul>, long unsigned int> >, ring::(anonymous namespace)::CtrlMsg<(ring::<unnamed>::CtrlMsgType)2, std::tuple<ring::IpAddr> >, ring::(anonymous namespace)::CtrlMsg<(ring::<unnamed>::CtrlMsgType)3, std::tuple<ring::IpAddr> >, ring::(anonymous namespace)::CtrlMsg<(ring::<unnamed>::CtrlMsgType)4, std::tuple<ring::(anonymous namespace)::PeerConnectionMsg> >, ring::(anonymous namespace)::CtrlMsg<(ring::<unnamed>::CtrlMsgType)5, std::tuple<ring::(anonymous namespace)::PeerConnectionMsg> >, ring::(anonymous namespace)::CtrlMsg<(ring::<unnamed>::CtrlMsgType)6, std::tuple<dht::Hash<20ul>, long unsigned int, std::shared_ptr<dht::crypto::Certificate>, std::vector<std::__cxx11::basic_strin
Shadow bytes around the buggy address:
0x0c0680048010: fa fa 00 00 00 00 fa fa fa fa fa fa fa fa fa fa
0x0c0680048020: fa fa fa fa fd fd fd fd fa fa fd fd fd fa fa fa
0x0c0680048030: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0680048040: fa fa fa fa fa fa fa fa fd fd fd fd fa fa fd fd
0x0c0680048050: fd fa fa fa fd fd fd fa fa fa fd fd fd fd fa fa
=>0x0c0680048060: fa fa fa fa fa fa fd fd fd fd fa fa 00 00 00[00]
0x0c0680048070: fa fa fd fd fd fa fa fa fa fa fa fa fa fa 00 00
0x0c0680048080: 00 00 fa fa fa fa fa fa fa fa fd fd fd fa fa fa
0x0c0680048090: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
0x0c06800480a0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
0x0c06800480b0: fd fa fa fa fa fa fa fa fa fa fd fd fd fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==14374==ABORTING
This bug has potential security implications (CWE-125).