Heap buffer overflow in miniupnpc #347
Description
When running a simple app which links with libtransmission from the current master and with the gcc address sanitizer enabled (-fsanitize=address), the app exits with this error:
[2017-07-27 09:59:56.893] RPC Server: Adding address to whitelist: 127.0.0.1
[2017-07-27 09:59:56.893] RPC Server: Adding address to whitelist: ::1
[2017-07-27 09:59:56.898] DHT: Reusing old id
[2017-07-27 09:59:56.898] DHT: Bootstrapping from 78 IPv4 nodes
[2017-07-27 09:59:57.226] Port Forwarding (NAT-PMP): initnatpmp succeeded (0)
[2017-07-27 09:59:57.226] Port Forwarding (NAT-PMP): sendpublicaddressrequest succeeded (2)
=================================================================
==4900==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60800000b776 at pc 0x7f8e1092b676 bp 0x7f8e0bdf5440 sp 0x7f8e0bdf4be8
READ of size 41 at 0x60800000b776 thread T1
#0 0x7f8e1092b675 in memcmp (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x77675)
#1 0x4a4d08 in upnpDiscoverDevices /tmp/build/tr/src/tr-build/third-party/miniupnpc/src/miniupnpc/miniupnpc.c:702
#2 0x4a518f in upnpDiscover /tmp/build/tr/src/tr-build/third-party/miniupnpc/src/miniupnpc/miniupnpc.c:763
#3 0x48265e in tr_upnpDiscover (/tmp/build/injector+0x48265e)
#4 0x4829c8 in tr_upnpPulse (/tmp/build/injector+0x4829c8)
#5 0x47be42 in natPulse (/tmp/build/injector+0x47be42)
#6 0x47bff8 in onTimer (/tmp/build/injector+0x47bff8)
#7 0x4af7a7 in event_process_active_single_queue /tmp/build/tr/src/tr-build/third-party/event/src/event/event.c:1368
#8 0x4af7a7 in event_process_active /tmp/build/tr/src/tr-build/third-party/event/src/event/event.c:1438
#9 0x4af7a7 in event_base_loop /tmp/build/tr/src/tr-build/third-party/event/src/event/event.c:1639
#10 0x440015 in libeventThreadFunc (/tmp/build/injector+0x440015)
#11 0x428393 in ThreadFunc (/tmp/build/injector+0x428393)
#12 0x7f8e0f83f6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
#13 0x7f8e0f5753dc in clone (/lib/x86_64-linux-gnu/libc.so.6+0x1073dc)
0x60800000b776 is located 0 bytes to the right of 86-byte region [0x60800000b720,0x60800000b776)
allocated by thread T1 here:
#0 0x7f8e1094c602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x4a4d31 in upnpDiscoverDevices /tmp/build/tr/src/tr-build/third-party/miniupnpc/src/miniupnpc/miniupnpc.c:710
Thread T1 created by T0 here:
#0 0x7f8e108ea253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
#1 0x4283f5 in tr_threadNew (/tmp/build/injector+0x4283f5)
#2 0x440146 in tr_eventInit (/tmp/build/injector+0x440146)
#3 0x42ae51 in tr_sessionInit (/tmp/build/injector+0x42ae51)
#4 0x4232b1 in main /tmp/src/injector.cpp:72
#5 0x7f8e0f48e82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 memcmp
Shadow bytes around the buggy address:
0x0c107fff9690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fff96a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fff96b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fff96c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fff96d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c107fff96e0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00[06]fa
0x0c107fff96f0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c107fff9700: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c107fff9710: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c107fff9720: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c107fff9730: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==4900==ABORTING
It seems that the miniupnpc code transmission is currently using is quite outdated. I tried to point it to the miniupnpc master and that seems to have fixed the problem.