[tickets] [opensaf:tickets] #3358 amf: amfd coredump with buffer overflow

[Thien Minh Huynh via Opensaf-tickets]

---

**[tickets:#3358] amf: amfd coredump with buffer overflow**

**Status:** unassigned
**Milestone:** 5.24.09
**Created:** Mon Aug 12, 2024 06:33 AM UTC by Thien Minh Huynh
**Last Updated:** Mon Aug 12, 2024 06:33 AM UTC
**Owner:** nobody


Coredump happen when create an applicate with attribute value  
"saAmfCtDefCmdEnv" is greater than 256 characters

change SaAmfCompType in amf_demo with value beblow to reproduce the issue.
~~~
<object class="SaAmfCompType">
<dn>safVersion=1,safCompType=AmfDemo1</dn>
<attr>
            <name>saAmfCtDefCmdEnv</name>
            
<value>AMF_DEMO_VAR1=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</value>
</attr>
</object>
~~~

~~~
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/usr/local/lib/opensaf/osafamfd'.
Program terminated with signal SIGABRT, Aborted.
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
[Current thread is 1 (Thread 0x7f8f1d6d3f80 (LWP 297))]
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007f8f1d8d7859 in __GI_abort () at abort.c:79
#2  0x00007f8f1d94226e in __libc_message (action=action@entry=do_abort, 
fmt=fmt@entry=0x7f8f1da6c08f "*** %s ***: terminated\n")
    at ../sysdeps/posix/libc_fatal.c:155
#3  0x00007f8f1d9e4cda in __GI___fortify_fail (msg=msg@entry=0x7f8f1da6c025 
"buffer overflow detected") at fortify_fail.c:26
#4  0x00007f8f1d9e3576 in __GI___chk_fail () at chk_fail.c:28
#5  0x00007f8f1d9e2e56 in __strcpy_chk (dest=dest@entry=0x5591a0aecd48 "", 
src=0x5591a0af1dfc "TESTENV=", 'x' <repeats 192 times>..., 
    destlen=destlen@entry=256) at strcpy_chk.c:30
#6  0x00005591a0707022 in strcpy (__src=<optimized out>, __dest=0x5591a0aecd48 
"") at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:90
#7  comptype_create (dn="safVersion=1,safCompType=AmfDemo1", 
attributes=0x5591a0af175c) at src/amf/amfd/comptype.cc:100
#8  0x00005591a0708f2b in comptype_ccb_apply_cb (opdata=<optimized out>) at 
/usr/include/c++/10/ext/new_allocator.h:89
#9  0x00005591a07247a6 in ccb_apply_cb (immoi_handle=<optimized out>, 
ccb_id=<optimized out>) at src/amf/amfd/imm.cc:1265
#10 0x00007f8f1dd9f65c in imma_process_callback_info (cb=0x7f8f1ddae320 
<imma_cb>, cl_node=<optimized out>, callback=0x7f8f10017d90, 
    immHandle=<optimized out>) at src/imm/agent/imma_proc.cc:2539
#11 0x00007f8f1dda1ad1 in imma_hdl_callbk_dispatch_all (cb=0x7f8f1ddae320 
<imma_cb>, immHandle=<optimized out>)
    at src/imm/agent/imma_proc.cc:1868
#12 0x00007f8f1dd98317 in saImmOiDispatch (immOiHandle=<optimized out>, 
dispatchFlags=SA_DISPATCH_ALL) at src/imm/agent/imma_oi_api.cc:642
#13 0x00005591a072696b in main_loop () at src/amf/amfd/main.cc:746
#14 0x00005591a06d5fba in main (argc=<optimized out>, argv=<optimized out>) at 
src/amf/amfd/main.cc:883
~~~


---

Sent from sourceforge.net because opensaf-tickets@lists.sourceforge.net is 
subscribed to https://sourceforge.net/p/opensaf/tickets/

To unsubscribe from further messages, a project admin can change settings at 
https://sourceforge.net/p/opensaf/admin/tickets/options.  Or, if this is a 
mailing list, you can unsubscribe from the mailing list.

_______________________________________________
Opensaf-tickets mailing list
Opensaf-tickets@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensaf-tickets