Hi,
libasan reports heap overflow in tetra-rx
To reproduce:
checkout latest osmo-tetra
optionally modify Makefile to add -DDEBUG to CFLAGS
make debug (compiling this on debian 12 using the prepackaged
libosmocore)
dd if=/dev/zero of=testbits.bin bs=1k count=4
mkdir r
./tetra-rx -d r testbits.bin
[...]
burst_sync_in: 64 bits, state 0
-> trying to find training sequence between bit 0 and 4032
burst_sync_in: 64 bits, state 0
-> trying to find training sequence between bit 0 and 4096
=================================================================
==169038==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x621000001178 at pc 0x55e8c5b1acd0 bp 0x7ffee4666cf0 sp 0x7ffee4666ce8
READ of size 1 at 0x621000001178 thread T0
#0 0x55e8c5b1accf in tetra_find_train_seq phy/tetra_burst.c:294
#1 0x55e8c5b19d30 in tetra_burst_sync_in phy/tetra_burst_sync.c:75
#2 0x55e8c5b19917 in main
/home/sq5bpf/tetra2/osmo-tetra-orig/src/tetra-rx.c:94
#3 0x7fc9714461c9 in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
#4 0x7fc971446284 in __libc_start_main_impl ../csu/libc-start.c:360
#5 0x55e8c5b19540 in _start
(/home/sq5bpf/tetra2/osmo-tetra-orig/src/tetra-rx+0xc540)
0x621000001178 is located 0 bytes to the right of 4216-byte region
[0x621000000100,0x621000001178)
allocated by thread T0 here:
#0 0x7fc9716b89cf in __interceptor_malloc
../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x7fc971cb0d53 (/lib/x86_64-linux-gnu/libtalloc.so.2+0x5d53)
SUMMARY: AddressSanitizer: heap-buffer-overflow phy/tetra_burst.c:294 in
tetra_find_train_seq
Shadow bytes around the buggy address:
0x0c427fff81d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff81e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff81f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fff8220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]
0x0c427fff8230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff8240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff8250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff8260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff8270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
This is some off-by-one bug but not obvious to me while looking at the
code.
Jacek