Stack buffer overflow during obj/filter/filter_test execution
Sergey L
sergeylobanov87nn at gmail.com
Fri Aug 22 20:31:04 CEST 2025
Hi,
ASAN reports stack-buffer-overflow in ip6_getbit() function during
obj/filter/filter_test execution.
How to reproduce the issue without ASAN:
apply the following patch:
diff --git a/lib/ip.h b/lib/ip.h
index bae05261..e76ded9c 100644
--- a/lib/ip.h
+++ b/lib/ip.h
@@ -13,6 +13,7 @@
#include "lib/string.h"
#include "lib/bitops.h"
#include "lib/unaligned.h"
+#include <stdio.h>
#define IP4_ALL_NODES ipa_build4(224, 0, 0, 1)
@@ -331,7 +332,9 @@ static inline u32 ip4_getbits(ip4_addr a, uint pos, uint n)
{ return (_I(a) >> ((32 - n) - pos)) & ((1u << n) - 1); }
static inline u32 ip6_getbit(ip6_addr a, uint pos)
-{ return (a.addr[pos / 32] >> (31 - (pos % 32))) & 0x1; }
+{
+fprintf(stderr,"pos=%u\n",pos);
+ return (a.addr[pos / 32] >> (31 - (pos % 32))) & 0x1; }
static inline u32 ip6_getbits(ip6_addr a, uint pos, uint n)
{ return (a.addr[pos / 32] >> ((32 - n) - (pos % 32))) & ((1u << n) - 1); }
Then run the commands:
autoreconf
./configure
make -j
make check -j
obj/filter/filter_test
You will see the following lines:
pos=127
pos=128 (stack overflow is here)
pos=129
pos=130
pos>=128 is invalid due to a.addr is 4xu32, it's not not 5xu32
More information about the Bird-users
mailing list