Hi,
libasan reports heap overflow in tetra-rx
To reproduce:
checkout latest osmo-tetra
optionally modify Makefile to add -DDEBUG to CFLAGS
make debug (compiling this on debian 12 using the prepackaged libosmocore)
dd if=/dev/zero of=testbits.bin bs=1k count=4
mkdir r
./tetra-rx -d r testbits.bin
[...] burst_sync_in: 64 bits, state 0 -> trying to find training sequence between bit 0 and 4032 burst_sync_in: 64 bits, state 0 -> trying to find training sequence between bit 0 and 4096 ================================================================= ==169038==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000001178 at pc 0x55e8c5b1acd0 bp 0x7ffee4666cf0 sp 0x7ffee4666ce8 READ of size 1 at 0x621000001178 thread T0 #0 0x55e8c5b1accf in tetra_find_train_seq phy/tetra_burst.c:294 #1 0x55e8c5b19d30 in tetra_burst_sync_in phy/tetra_burst_sync.c:75 #2 0x55e8c5b19917 in main /home/sq5bpf/tetra2/osmo-tetra-orig/src/tetra-rx.c:94 #3 0x7fc9714461c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #4 0x7fc971446284 in __libc_start_main_impl ../csu/libc-start.c:360 #5 0x55e8c5b19540 in _start (/home/sq5bpf/tetra2/osmo-tetra-orig/src/tetra-rx+0xc540)
0x621000001178 is located 0 bytes to the right of 4216-byte region [0x621000000100,0x621000001178) allocated by thread T0 here: #0 0x7fc9716b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69 #1 0x7fc971cb0d53 (/lib/x86_64-linux-gnu/libtalloc.so.2+0x5d53)
SUMMARY: AddressSanitizer: heap-buffer-overflow phy/tetra_burst.c:294 in tetra_find_train_seq Shadow bytes around the buggy address: 0x0c427fff81d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fff81e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fff81f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fff8200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fff8210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c427fff8220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa] 0x0c427fff8230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fff8240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fff8250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fff8260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fff8270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
This is some off-by-one bug but not obvious to me while looking at the code.
Jacek
Sorry for responding to myself. Found it.
The following patch to tetra_burst.c ifdefs out a patch from 2018 that was done to improve performance. This solves the problem, although it would be better to fix the patch and not just drop it.
jacek
-
Jacek Lipkowski