fix uninitialized read when stringifying an addrLocal #14728

pull kazcw wants to merge 2 commits into bitcoin:master from kazcw:uninit-scopeid changing 3 files +39 −2
  1. kazcw commented at 10:53 PM on November 14, 2018: contributor

    Reachable from either place where SetIP is used when all of:

    • our best-guess addrLocal for a peer is IPv4
    • the peer tells us it's reaching us at an IPv6 address
    • NET logging is enabled

    In that case, SetIP turns an IPv4 address into an IPv6 address without setting the scopeId, which is subsequently read in GetSockAddr during CNetAddr::ToStringIP and passed to getnameinfo. Fix by ensuring every constructor initializes the scopeId field with something.

  2. sipa commented at 11:15 PM on November 14, 2018: member

    Nice catch. Can you add a test that tests for the old behavior?

  3. fanquake added the label P2P on Nov 15, 2018
  4. in src/netaddress.cpp:73 in 9151f783ca outdated 
      69 | @@ -70,6 +70,7 @@ bool CNetAddr::SetSpecial(const std::string &strName)
  70 |  CNetAddr::CNetAddr(const struct in_addr& ipv4Addr)
  71 |  {
  72 |      SetRaw(NET_IPV4, (const uint8_t*)&ipv4Addr);
  73 | +    scopeId = 0;
    promag commented at 12:41 AM on November 15, 2018:

    I'd go a step further and move scopeId = 0 to static initialization instead:

        uint32_t scopeId{0}; // for scoped/link-local ipv6 addresses
    kazcw commented at 7:50 PM on November 15, 2018:

    Good point! Switched to in-class initialization.

  5. promag commented at 12:46 AM on November 15, 2018: member

    utACK 9151f78.

  6. practicalswift commented at 8:48 AM on November 15, 2018: contributor

    Excellent catch and thanks for another great contribution!

    utACK 9151f783ca53cde718a3895324bd6389e5de6318 modulo @promag's nit

    How did you find this issue?

    I can't believe I didn't catch this issue as part of my routine static analysis runs :-\ I checked now and I had this specific case in multiple analysis reports, but it appears the signal drowned in the noise.

    Would be nice to have the offending code path executed in a test to allow for catching it via dynamic analysis too.

  7. kazcw force-pushed on Nov 15, 2018
  8. practicalswift commented at 9:08 PM on November 15, 2018: contributor

    utACK 04ae6807bc09d52c4738836243cb3dad8845b405

  9. kazcw force-pushed on Nov 15, 2018
  10. kazcw commented at 9:28 PM on November 15, 2018: contributor

    I was looking at the code that relates to a recent bug report. I didn't see the cause of the bug, but I did see this.

    I added a test that successfully fails under -fsanitize=memory without this patch.

  11. in src/test/net_tests.cpp:226 in 262c0b12a8 outdated 
     221 | +    pnode->SetAddrLocal(addrLocal);
 222 | +
 223 | +    // before patch, this causes undefined behavior detectable with clang's -fsanitize=memory
 224 | +    AdvertiseLocal(&*pnode);
 225 | +
 226 | +    // suppress no-checks-run warning; if this test fails, it's by triggering triggering a sanitizer
    practicalswift commented at 9:42 PM on November 15, 2018:

    Double "triggering"? :-)

  12. practicalswift commented at 9:43 PM on November 15, 2018: contributor

    utACK d0b673176b3214e16e4df50dcb65352fbd07969f modulo typo fix :-)

  13. add test demonstrating addrLocal UB 8ebbef0169
  14. fix uninitialized read when stringifying an addrLocal
    Reachable from either place where SetIP is used when our best-guess
addrLocal for a peer is IPv4, but the peer tells us it's reaching us at
an IPv6 address.

In that case, SetIP turns an IPv4 address into an IPv6 address without
setting the scopeId, which is subsequently read in GetSockAddr during
CNetAddr::ToStringIP and passed to getnameinfo. Fix by ensuring every
constructor initializes the scopeId field with something.
    b7b36decaf
  15. kazcw force-pushed on Nov 15, 2018
  16. promag commented at 4:03 PM on November 16, 2018: member

    utACK b7b36de.

  17. practicalswift commented at 4:08 PM on November 16, 2018: contributor

    utACK 8ebbef016928811756e46b9086067d1c826797a8

  18. MarcoFalke commented at 7:00 PM on November 16, 2018: member

    utACK b7b36decaf878a8c1dcfdb4a27196c730043474b

    Makes the code adhere to our developer cpp style guide and also fixes the warning that valgrind yells at me when running valgrind ./src/test/test_bitcoin -t net_tests/ipv4_peer_with_ipv6_addrMe_test.

  19. wailo changes_requested
  20. wailo commented at 8:13 PM on November 17, 2018: none

    I would suggest applying the same change to the ip array unsigned char ip[16] = {0}; and remove the memset call from the constructor. This leaves an empty constructor which can then be marked default.

  21. laanwj commented at 8:15 AM on November 23, 2018: member

    utACK b7b36decaf878a8c1dcfdb4a27196c730043474b @wailo's comment could be done later, but is not related to the fix for UB here

  22. laanwj commented at 8:52 AM on November 23, 2018: member

    re-utACK 8ebbef0

    You're not acking the top commit (b7b36decaf878a8c1dcfdb4a27196c730043474b) is this intentional? (I guess not)

  23. laanwj merged this on Nov 23, 2018
  24. laanwj closed this on Nov 23, 2018
  25. laanwj referenced this in commit 2479b779aa on Nov 23, 2018
  26. practicalswift commented at 8:57 AM on November 23, 2018: contributor

    @laanwj Oh sorry I got the ordering wrong. I meant to re-utACK the latest commit :-)

  27. fanquake added the label Needs backport on Nov 29, 2018
  28. fanquake referenced this in commit 6f04264bbb on Nov 29, 2018
  29. fanquake referenced this in commit b90157891a on Nov 29, 2018
  30. fanquake removed the label Needs backport on Nov 29, 2018
  31. fanquake commented at 10:44 AM on November 29, 2018: member

    Backported in #14835.

  32. MarcoFalke referenced this in commit d8bc0ce1da on Nov 30, 2018
  33. laanwj referenced this in commit 3f12515199 on Jan 9, 2019
  34. laanwj referenced this in commit 070eaf7fe5 on Jan 14, 2019
  35. jasonbcox referenced this in commit eb1893c847 on Dec 6, 2019
  36. jonspock referenced this in commit 6b962b6a2a on Jan 2, 2020
  37. jonspock referenced this in commit a68ae411ad on Jan 2, 2020
  38. jonspock referenced this in commit 89afbd2b31 on Jan 3, 2020
  39. jonspock referenced this in commit 1d6822a997 on Jan 3, 2020
  40. PastaPastaPasta referenced this in commit a5375963f6 on Apr 16, 2020
  41. PastaPastaPasta referenced this in commit 52ab07d4aa on Apr 16, 2020
  42. PastaPastaPasta referenced this in commit 73cdfb7ac6 on Apr 19, 2020
  43. PastaPastaPasta referenced this in commit c78c8ccf57 on Apr 20, 2020
  44. PastaPastaPasta referenced this in commit 82b56774f5 on May 10, 2020
  45. PastaPastaPasta referenced this in commit bd3e07c3ea on May 12, 2020
  46. PastaPastaPasta referenced this in commit 59de1e4169 on Jun 9, 2020
  47. PastaPastaPasta referenced this in commit 6883c14dc4 on Jun 9, 2020
  48. PastaPastaPasta referenced this in commit 0211eecb14 on Jun 10, 2020
  49. PastaPastaPasta referenced this in commit 137aff3b8f on Jun 10, 2020
  50. PastaPastaPasta referenced this in commit 77043b431c on Jun 11, 2020
  51. jonspock referenced this in commit 2e66bc9dd9 on Sep 29, 2020
  52. jonspock referenced this in commit 62b3b3b13c on Sep 29, 2020
  53. jonspock referenced this in commit 614f16eb78 on Oct 10, 2020
  54. random-zebra referenced this in commit 71275c1896 on Jun 9, 2021
  55. pravblockc referenced this in commit a7a5a1c067 on Aug 9, 2021
  56. pravblockc referenced this in commit 8e21d90eed on Aug 11, 2021
  57. pravblockc referenced this in commit 95d588e9b4 on Aug 11, 2021
  58. 5tefan referenced this in commit bfba8f2211 on Aug 12, 2021
  59. DrahtBot locked this on Sep 8, 2021
Contributors
kazcwsipapromagpracticalswiftMarcoFalkewailolaanwjfanquake
Labels
P2P
Linked (view graph)
#14835 [0.17] Further Backports#15109 refactor: Use C++11 default member initializers#15144 [refactor] CNode: Use C++11 default member initializers
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-13 18:15 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me