Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Address Sanitizer Issue, Fix Stack buffer reference after it has gone… #3034

Merged
merged 3 commits into from
Oct 7, 2024
Merged

Address Sanitizer Issue, Fix Stack buffer reference after it has gone… #3034

merged 3 commits into from
Oct 7, 2024

Conversation

jlsantiago0
Copy link
Contributor

@jlsantiago0 jlsantiago0 commented Oct 3, 2024
edited
Loading

Address Sanitizer Issue, Fix Stack buffer reference after it has gone out of scope.


==1873251==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7fe0a779a88c at pc 0x000001c942ad bp 0x7fe0a876c9c0 sp 0x7fe0a876c9b8
READ of size 4 at 0x7fe0a779a88c thread T17
    #0 0x1c942ac in srt::CChannel::getTargetAddress(msghdr const&) const /mnt/jlsws2/dev/orthrus/master/src/vendor/utils/haisrt/srt-1.5.4-rc.1/srtcore/channel.h:218:57
    #1 0x1c9384a in srt::CChannel::recvfrom(srt::sockaddr_any&, srt::CPacket&) const /mnt/jlsws2/dev/orthrus/master/src/vendor/utils/haisrt/srt-1.5.4-rc.1/srtcore/channel.cpp:944:31
    #2 0x1dd9c3d in srt::CRcvQueue::worker_RetrieveUnit(int&, srt::CUnit*&, srt::sockaddr_any&) /mnt/jlsws2/dev/orthrus/master/src/vendor/utils/haisrt/srt-1.5.4-rc.1/srtcore/queue.cpp:1407:35
    #3 0x1dd8817 in srt::CRcvQueue::worker(void*) /mnt/jlsws2/dev/orthrus/master/src/vendor/utils/haisrt/srt-1.5.4-rc.1/srtcore/queue.cpp:1246:43
    #4 0x7fe0d5fbc668 in asan_thread_start(void*) ../../../llvm-project-llvmorg-18.1.8/compiler-rt/lib/asan/asan_interceptors.cpp:239:28
    #5 0x7fe0c36a339c in start_thread /usr/src/debug/glibc/glibc/nptl/pthread_create.c:447:8
    #6 0x7fe0c372849b in __GI___clone3 /usr/src/debug/glibc/glibc/misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

Address 0x7fe0a779a88c is located in stack of thread T17 at offset 140 in frame
    #0 0x1c9357f in srt::CChannel::recvfrom(srt::sockaddr_any&, srt::CPacket&) const /mnt/jlsws2/dev/orthrus/master/src/vendor/utils/haisrt/srt-1.5.4-rc.1/srtcore/channel.cpp:841

  This frame has 3 object(s):
    [32, 88) 'mh' (line 865)
    [128, 216) 'mh_crtl_buf' (line 881) <== Memory access at offset 140 is inside this variable
    [256, 288) 'ref.tmp' (line 944)

The stack variable object mh after call to recvmsg will reference data contained in the stack buffer mh_crtl_buf . This data is then referenced by a later call to getTargetAddress(mh), but the stack buffer has already gone out of scope. This PR moves the stack variable outside of the conditional block scope so that it is still in scope while it is being referenced later on in this method.

Issue uncovered by using the CLANG Address Sanitizer.

ethouris
ethouris reviewed Oct 4, 2024
View reviewed changes
srtcore/channel.cpp Outdated Show resolved Hide resolved
ethouris
ethouris reviewed Oct 4, 2024
View reviewed changes
srtcore/channel.cpp Outdated Show resolved Hide resolved
jlsantiago0 and others added 2 commits October 4, 2024 08:41
@jlsantiago0 @ethouris
Update srtcore/channel.cpp
e8d90c3 
Remove unneeded comment.

Co-authored-by: Sektor van Skijlen <ethouris@gmail.com>
@jlsantiago0 @ethouris
Update srtcore/channel.cpp
8cd49e2 
Cleanup the Comment.

Co-authored-by: Sektor van Skijlen <ethouris@gmail.com>
@maxsharabayko maxsharabayko added this to the v1.5.4 milestone Oct 7, 2024
@maxsharabayko maxsharabayko added Type: Bug Indicates an unexpected problem or unintended behavior [core] Area: Changes in SRT library core labels Oct 7, 2024
@maxsharabayko maxsharabayko merged commit 62f46aa into Haivision:master Oct 7, 2024
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ethouris ethouris ethouris left review comments

Assignees
No one assigned
Labels
[core] Area: Changes in SRT library core Type: Bug Indicates an unexpected problem or unintended behavior
Projects
None yet
Milestone
v1.5.4
Development

Successfully merging this pull request may close these issues.
3 participants
@jlsantiago0 @ethouris @maxsharabayko