192d7900 3 net.c:306:mg_mgr_init MG_IO_SIZE: 16384, TLS: none 192d7900 3 net.c:223:mg_listen 1 4 udp://224.0.0.251:5353 [*] mDNS server on port 5353 [*] Send PTR/TXT/SRV queries to test variants 192d84d3 3 sock.c:360:read_conn 1 4 0:0:0 34 err 0 192d84d3 3 dns.c:438:handle_mdns_query PTR request for _http._tcp [+] Got mDNS request! Type=12 [+] PTR request for _http._tcp [VULN-PATH] Setting 300-byte TXT via PTR query path ================================================================= ==5506==ERROR: AddressSanitizer: stack-buffer-overflow on address 0xfad9c2f0033a at pc 0xfad9c5075124 bp 0xffffda9d33f0 sp 0xffffda9d2bd0 WRITE of size 300 at 0xfad9c2f0033a thread T0 #0 0xfad9c5075120 in memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors_memintrinsics.inc:115 #1 0xbf7b01c31334 in build_txt_record src/dns.c:390 #2 0xbf7b01c32a14 in handle_mdns_query src/dns.c:496 #3 0xbf7b01c33ca8 in handle_mdns_record src/dns.c:575 #4 0xbf7b01c33d78 in mdns_cb src/dns.c:584 #5 0xbf7b01c34098 in mg_call src/event.c:21 #6 0xbf7b01c69578 in iolog src/sock.c:133 #7 0xbf7b01c6b88c in read_conn src/sock.c:362 #8 0xbf7b01c708b4 in mg_mgr_poll src/sock.c:783 #9 0xbf7b01c7c240 in main /data/pruva/runs/17a15ce6-4969-4882-9c55-0a227b0d8ef1/mongoose/tutorials/udp/mdns-sd-server/variant_test.c:57 #10 0xfad9c4df84c0 (/lib/aarch64-linux-gnu/libc.so.6+0x284c0) (BuildId: d6c205bda1b6e91815f8fef45bdf56bc2239c37e) #11 0xfad9c4df8594 in __libc_start_main (/lib/aarch64-linux-gnu/libc.so.6+0x28594) (BuildId: d6c205bda1b6e91815f8fef45bdf56bc2239c37e) #12 0xbf7b01c2b3ac in _start (/data/pruva/runs/17a15ce6-4969-4882-9c55-0a227b0d8ef1/logs/variant_test+0xb3ac) (BuildId: ce0271d2688811496f2b7bb30700ce2ad8fef68d) Address 0xfad9c2f0033a is located in stack of thread T0 at offset 826 in frame #0 0xbf7b01c313d0 in handle_mdns_query src/dns.c:396 This frame has 7 object(s): [32, 34) 'offset' (line 480) [48, 50) 'offset' (line 506) [64, 72) 'rr' (line 398) [96, 112) 'defname' (line 411) [128, 192) 'req' (line 413) [224, 480) 'name' (line 408) [544, 826) 'buf' (line 405) <== Memory access at offset 826 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors_memintrinsics.inc:115 in memcpy Shadow bytes around the buggy address: 0xfad9c2f00080: 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00 00 00 00 0xfad9c2f00100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0xfad9c2f00180: 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 0xfad9c2f00200: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 0xfad9c2f00280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0xfad9c2f00300: 00 00 00 00 00 00 00[02]f3 f3 f3 f3 f3 f3 f3 f3 0xfad9c2f00380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0xfad9c2f00400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0xfad9c2f00480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0xfad9c2f00500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0xfad9c2f00580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==5506==ABORTING