-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Buffer overflow hazard and incorrect return value in iperf_printf(). #1134
Comments
Well that's kinda embarrassing. And I can't even blame this on anybody else...that's my code. Thanks for pointing it out! |
bmah888
added a commit
that referenced
this issue
Apr 9, 2021
Pointed out by @berkakinci. Fixes #1134.
@berkakinci Want to take a look at #1137? Does that fix the problem, as you see it? |
Thanks for jumping on it. I can see how the code here evolved organically :-) |
bmah888
added a commit
that referenced
this issue
Apr 14, 2021
Pointed out by @berkakinci. Fixes #1134. (cherry picked from commit 9e244bb) Signed-off-by: Bruce A. Mah <bmah@es.net>
bmah888
added a commit
that referenced
this issue
Apr 14, 2021
In theory this check should always succeed, given the relative buffer sizes as currently coded. Suggested by @grigorescu Related to #1134. (cherry picked from commit c357829) Signed-off-by: Bruce A. Mah <bmah@es.net>
hanvari
pushed a commit
to hanvari/iperf-1
that referenced
this issue
Jul 8, 2021
Pointed out by @berkakinci. Fixes esnet#1134.
hanvari
pushed a commit
to hanvari/iperf-1
that referenced
this issue
Jul 8, 2021
Pointed out by @berkakinci. Fixes esnet#1134. (cherry picked from commit 9e244bb) Signed-off-by: Bruce A. Mah <bmah@es.net>
hanvari
pushed a commit
to hanvari/iperf-1
that referenced
this issue
Jul 8, 2021
Related to esnet#1134. (cherry picked from commit f9bc608) Signed-off-by: Bruce A. Mah <bmah@es.net>
hanvari
pushed a commit
to hanvari/iperf-1
that referenced
this issue
Jul 8, 2021
In theory this check should always succeed, given the relative buffer sizes as currently coded. Suggested by @grigorescu Related to esnet#1134. (cherry picked from commit c357829) Signed-off-by: Bruce A. Mah <bmah@es.net>
hanvari
added a commit
to hanvari/iperf-1
that referenced
this issue
Jul 22, 2021
commit 7e59b37 Author: Hamid Anvari <hr.anvari@gmail.com> Date: Wed Jul 7 16:15:11 2021 -0600 Adding API function to set debug mode commit 844ba8c Author: Hamid Anvari <hr.anvari@gmail.com> Date: Sat Jul 3 07:50:13 2021 -0600 API functions added for -F, -r, -a, -K, sent-bytes commit e3b3440 Author: Hamid Anvari <hr.anvari@gmail.com> Date: Sat Jul 3 07:17:08 2021 -0600 Adding -K (sender file seek) and -a (receiver append to file) commit df6ca5c Author: Hamid Anvari <hr.anvari@gmail.com> Date: Mon Mar 1 19:57:56 2021 -0700 adding -a switch to allow receiving appending to file in -F mode # Conflicts: (Resolved) # src/iperf.h # src/iperf_api.c commit db2a13c Author: Hamid Anvari <hr.anvari@gmail.com> Date: Fri Feb 19 15:59:59 2021 -0700 Adding -K switch along with -F to allow seek in file # Conflicts: (Resolved) # src/iperf.h # src/iperf_api.c commit 6af2ccc Author: Hamid Anvari <hr.anvari@gmail.com> Date: Tue Feb 2 02:04:07 2021 -0700 Auto adjustment of test-end condition for file-transfer In file transfer mode (-F), if no test-end condition is set, (bytes, blocks, duration), it will automatically adjsut it to file size (in bytes). commit 703bf42 Author: Hamid Anvari <hr.anvari@gmail.com> Date: Fri Feb 19 16:18:53 2021 -0700 Reliable receiving (-r) data as sent by sender Two changes implemented: 1. On client, Following TEST_END signal, it sends the total number of bytes sent for server over control-socket. 2. On server, a. following TEST_END it receives the total number of bytes and sets to test->settings->bytes b. (if reliability requested) it defers the test termination and cleanup until that exact number of bytes are received (timer-based solution) commit e3da02c Author: Bruce A. Mah <bmah@es.net> Date: Wed Jun 30 09:02:34 2021 -0700 fix: Consistently print target_bandwidth in the JSON start section. (esnet#1177) Previously we only did this for TCP tests with non-default -b. Follow-on commit to esnet#1168 and esnet#776. commit 1f70267 Author: TheRealDJ <dj@djsnet.org> Date: Wed Jun 30 11:45:06 2021 -0400 Test bitrate (--bitrate) added to JSON output in {test}{test_start} (esnet#1168) Fixes esnet#1167. commit 1e697e9 Author: Bruce A. Mah <bmah@es.net> Date: Tue Jun 29 17:27:05 2021 -0700 Remove fsync(2) call after every write to a receiving --file. (esnet#1176) This removes a performance pessimization that wasn't really needed in the first place. Fixes esnet#1159. commit 14f1379 Author: Bruce A. Mah <bmah@es.net> Date: Wed Jun 2 15:59:42 2021 -0700 docs: Update for iperf-3.10.1. commit a39c94d Author: Bruce A. Mah <bmah@es.net> Date: Wed Jun 2 15:29:24 2021 -0700 chore: Regen. commit 7dd2034 Author: Bruce A. Mah <bmah@es.net> Date: Wed Jun 2 15:27:44 2021 -0700 Releng 3.10.1 (esnet#1156) Version number bumps and release notes for iperf-3.10.1. commit 579956f Author: Bruce A. Mah <bmah@es.net> Date: Wed Jun 2 08:19:52 2021 -0700 Chore: regen. commit f089962 Author: Bruce A. Mah <bmah@es.net> Date: Wed Jun 2 08:18:37 2021 -0700 fix: Updates for autoconf-2.71 (fix esnet#1154) (esnet#1155) * Reimplement a number of socket option tests for autoconf-2.71. * Reimplement configure test for IP DF. * Use AC_PREREQ. Configuration scripts must be rebuilt with autoconf-2.71 or newer. * Removed obsolete/unneeded tests and in general improve compatibility with autoconf-2.71. commit f25ac13 Author: Bruce A. Mah <bmah@kitchenlab.org> Date: Tue Jun 1 08:26:41 2021 -0700 docs: Update for iperf-3.10. commit 6a0ffd2 Author: Bruce A. Mah <bmah@es.net> Date: Tue Jun 1 08:43:54 2021 -0700 docs: Update for iperf-3.10 manpage. commit 9fc04a3 Author: Bruce A. Mah <bmah@es.net> Date: Wed May 26 15:13:00 2021 -0700 docs: Finalize iperf-3.10 release date. commit 6b35e10 Author: Bruce A. Mah <bmah@es.net> Date: Wed May 26 15:03:59 2021 -0700 Release engineering changes for iperf-3.10 (esnet#1151) * Draft release notes for iperf-3.10. * iperf-3.10 version number bumps. * Update using autoupdate-2.71 from Xcode 12 on macOS Big Sur. * Regen. * docs: Add release notes for recent changes. commit 05d8e68 Author: Bruce A. Mah <bmah@es.net> Date: Fri May 21 15:18:39 2021 -0700 chore: Regen. commit f3f89e4 Author: Bruce A. Mah <bmah@es.net> Date: Fri May 21 15:18:01 2021 -0700 chore: autoupdate commit 54d35c9 Author: Shuo Chen <chenshuo@chenshuo.com> Date: Wed May 19 12:08:02 2021 -0700 Add tcp_info.snd_wnd to JSON output. tcp_info.snd_wnd is available on FreeBSD and NetBSD since TCP_INFO was added. It was added to Linux 5.4 in late 2019 and becomes available in Ubuntu 20.04 and Debian 11. Tested on: * Debian 11 running on x86-64 with this field. * Debian 10 armv7 running on Raspberry Pi 2 without this field. * NetBSD 9.2 armv7 running on Raspberry Pi 3 with this field. * FreeBSD 13 aarch64 running on Raspberry Pi 4 with this field. commit aae27e7 Author: David Bar-On <david.cdb004@gmail.com> Date: Tue May 18 14:44:47 2021 +0300 Fix issue esnet#1143 - make sure terminating error message is inside the JSON output commit 1a69ad8 Author: Bruce A. Mah <bmah@es.net> Date: Fri Apr 16 14:59:31 2021 -0700 fix: Handle a corner case more gracefully. If the buffer happens to be holding exactly a sending chunk size, we no longer arbitrarily quit. While here, use equivalent, easier-to-read tests in a couple places. Discussed with @hanvari Follow-up to esnet#1115. commit 6326901 Author: Hamid Anvari <hr.anvari@gmail.com> Date: Tue Feb 2 01:12:17 2021 -0700 diskfile_send() sent data capped at file-size Issue: `diskfile_send()` unconditional call to `sp->snd2` would result in sending full buffer size everytime, regardless of the file size. Fix: The function updated to check for end-of-file (reading 0 bytes) and, 1. set `sp->pending_size` to appropriate data length available to be sent 2. check for end condition and avoid sending data more than file size. Note: The fix is only for the maximum cap on the data size sent on the network. If other parameters (-t, -n, etc.) yield smaller size or shorter time then needed, the file will still be partially sent to the network. commit 7177f84 Author: Bruce A. Mah <bmah@es.net> Date: Mon Apr 12 13:12:11 2021 -0700 Make sure we don't pass in a negative buffer size. In theory this check should always succeed, given the relative buffer sizes as currently coded. Suggested by @grigorescu Related to esnet#1134. (cherry picked from commit c357829) Signed-off-by: Bruce A. Mah <bmah@es.net> commit 88c4898 Author: Bruce A. Mah <bmah@es.net> Date: Mon Apr 12 11:38:24 2021 -0700 enh: Move iperf_printf's buffer off the stack. (cherry picked from commit 528cea5) Signed-off-by: Bruce A. Mah <bmah@es.net> commit b1d7664 Author: Bruce A. Mah <bmah@es.net> Date: Mon Apr 12 11:34:57 2021 -0700 fix: Do a better job of counting bytes in iperf_printf. Related to esnet#1134. (cherry picked from commit f9bc608) Signed-off-by: Bruce A. Mah <bmah@es.net> commit a3b938c Author: Bruce A. Mah <bmah@es.net> Date: Fri Apr 9 16:56:36 2021 -0700 fix: Fix a couple of buffer overrun hazards. Pointed out by @berkakinci. Fixes esnet#1134. (cherry picked from commit 9e244bb) Signed-off-by: Bruce A. Mah <bmah@es.net> commit f488582 Author: Bruce A. Mah <bmah@kitchenlab.org> Date: Wed Apr 14 10:16:34 2021 -0700 Revert "fix: Fix a couple of buffer overrun hazards." commit 7bf6ebe Author: Bruce A. Mah <bmah@es.net> Date: Mon Apr 12 13:12:11 2021 -0700 Make sure we don't pass in a negative buffer size. In theory this check should always succeed, given the relative buffer sizes as currently coded. commit 7155dab Author: Bruce A. Mah <bmah@es.net> Date: Mon Apr 12 11:38:24 2021 -0700 enh: Move iperf_printf's buffer off the stack. commit 6d6d3ec Author: Bruce A. Mah <bmah@es.net> Date: Mon Apr 12 11:34:57 2021 -0700 fix: Do a better job of counting bytes in iperf_printf. commit 691c474 Author: Bruce A. Mah <bmah@es.net> Date: Fri Apr 9 16:56:36 2021 -0700 fix: Fix a couple of buffer overrun hazards. Pointed out by @berkakinci. Fixes esnet#1134. commit b3772db Author: Bruce A. Mah <bmah@es.net> Date: Wed Apr 14 08:31:07 2021 -0700 fix: Handle correctly some errors on initial client connect. (esnet#1139) This is a mostly-cosmetic reimplementation of pull request esnet#1128. Original commit log: Fix two issues that caused an active TCP test to terminate if a new connection request was received while in streams creation phase. One issue was in iperf_tcp_accept() - after identifying that the cookies of the new connection if from a new client, error was returned which caused the active test to terminate. The other issue was in iperf_run_server() where congestion alg was set for the new client, although the stream to it was already closed by iperf_tcp_accept(). That also cause the active test to terminate. Another minor issue that was fixed is that after a client received a failure state (negative state) from the server, iperf_client_end() still tried to send back IPERF_DONE to the server. That caused the client to issue failure message of "unable to send control message: Connection reset by peer" instead of "the server is busy running a test". Originally submitted by: @davidBar-On commit cbf0745 Author: Bruce A. Mah <bmah@es.net> Date: Tue Apr 13 14:22:30 2021 -0700 fix: Follow-up commit for esnet#1138 to fix a couple misspellings. No functional changes. commit 4296c4d Author: David Bar-On <61089727+davidBar-On@users.noreply.github.com> Date: Wed Apr 14 00:19:00 2021 +0300 enh: do not fail when new connection is refused during a running test (esnet#1138) Fixes esnet#1135. commit 99d598d Author: Bruce A. Mah <bmah@es.net> Date: Fri Apr 9 12:47:06 2021 -0700 fix: Don't try to close the control connection if it never got opened. (esnet#1136) This prevents an "undefined socket" error, which can be incorrect if the control connection didn't get opened due to a (for example) "connection refused" type error. This can be tested by running iperf3 in client mode and pointing it towards a non-existent (or not-running) server. Fixes esnet#1129 (esnet#1132 was an earlier, partial fix). commit 931dfab Author: David Bar-On <61089727+davidBar-On@users.noreply.github.com> Date: Fri Apr 9 22:33:06 2021 +0300 Fix issue 1129 for not sending stat to to undefined socket (esnet#1132) This fix avoids trying to do operations on a socket that was never opened successfully. commit 4e2b847 Author: David Bar-On <61089727+davidBar-On@users.noreply.github.com> Date: Mon Mar 15 21:18:00 2021 +0200 Fix issue 1061 - not fail in WSL1 when cannot get default congestion alg name (esnet#1126) commit 23ca534 Author: Bruce A. Mah <bmah@es.net> Date: Fri Feb 26 13:49:00 2021 -0800 enh: Wording fixes in various messages, document --rcv-timeout in manpage. Follow-up to esnet#1123. Pet copyrights where appropriate. commit 5603721 Author: David Bar-On <61089727+davidBar-On@users.noreply.github.com> Date: Fri Feb 26 22:39:06 2021 +0200 enh: Add --rcv-timeout option (esnet#1125) Enhancement to PR esnet#1101 - add --rcv-timeout option to allow setting the timeout for receiving packet from the sender in a running test, instead of the constant 120 seconds set in esnet#1101. This is to allow short timeout, so the server will not be "busy" for long time doing nothing. Also, the resolution is set to ms (with minimum of 100ms), as at least in fast networks that may be required. Since both the server and the client can be a sender, the option is allowed for both. The server setting is for all tests - the client is not sending its --rcv-timeout setting to the server. While changing the help message, few printf constants from other help lines were changed to parameters. commit a49c09d Author: David Bar-On <61089727+davidBar-On@users.noreply.github.com> Date: Thu Feb 25 18:22:10 2021 +0200 fix: Remove the inclusion of tcp.h as it is included by iperf.h (esnet#1122) This fixes a build breakage on Alpine Linux, where tcp.h was explicitly included in src/net.c before _GNU_SOURCE was defined in iperf.h. commit 24aff75 Author: David Bar-On <61089727+davidBar-On@users.noreply.github.com> Date: Wed Feb 17 00:28:54 2021 +0200 IP don't fragment support (esnet#1119) Adds an --dont-fragment flag that sets the DF flag in the header for UDP/IPv4 tests. Co-authored-by: root <root@DESKTOP-L81E90U.localdomain> Co-authored-by: Bruce A. Mah <bmah@es.net> commit 776fda3 Author: Bruce A. Mah <bmah@es.net> Date: Mon Feb 8 14:54:11 2021 -0800 Issue 1118 (esnet#1121) * fix: Correctly emit JSON for --server --json. Put extra error diagnostic information behind --verbose, to avoid putting extra "error" members in JSON output. Fixes esnet#1118. commit a9ec05d Author: Hamid Anvari <hr.anvari@gmail.com> Date: Fri Feb 5 17:04:56 2021 -0700 Fix/Optimize test termination condition check (esnet#1114) `test->done` represents the test completion. In some modes, duration-based (-t) test, and file-transfer (-F) in particular, the `test->done` is set during the timeout handler or file-transfer functions. For such configurations, and in general, `test->done` being set is sufficient condition for terminating the test. This commit generalizes the condition check to `test->done`, removing the clause which limtis this condition case to duration-based test only. commit dc67ced Author: Hamid Anvari <hr.anvari@gmail.com> Date: Fri Feb 5 16:59:35 2021 -0700 Fix iperf_send() termination test in bytes/blocks mode (esnet#1113) In iperf_send() function, the check for termination test in bytes/blocks mode is at the end of the iteration loop for multisend (outer loop) and streams (inner loop). If for any iteration of multisend (outer) loop bytes/blocks sent reaches the desired limit, it still continues to send data until the loop is exhausted. (The `break;` command does not help, since it is already inside the streams (inner) loop). This is a simple fix which brings the condition check to the beginning of the inner loop, so it will skip the iteration if the bytes/blocks count is already reached the target; hence avoiding to send more data to the network. commit c98e8f9 Author: Hamid Anvari <hr.anvari@gmail.com> Date: Thu Feb 4 16:16:38 2021 -0700 API interface for setting/getting congestion control (esnet#1036) (esnet#1112) Same restrictions/compatibility applies as the CLI -C/--congestion options. (Linux and FreeBSD only) Fixes esnet#1036 commit ff93e56 Author: Bruce A. Mah <bmah@es.net> Date: Thu Feb 4 08:47:13 2021 -0800 fix: Don't write trailing NUL to pidfile. Fixes esnet#1120. commit d273cf1 Author: Wojciech Jowsa <w.jowsa@celerway.com> Date: Thu Feb 4 17:30:47 2021 +0100 Enable writing to pidfile in client mode (esnet#1110) commit 0622241 Author: David Bar-On <61089727+davidBar-On@users.noreply.github.com> Date: Tue Feb 2 02:26:42 2021 +0200 Server select timeout to prevent server to get stuck because of client or network errors (esnet#1101) commit 7bb1917 Author: Bruce A. Mah <bmah@es.net> Date: Fri Jan 15 11:10:06 2021 -0800 chore: Copyright date bumps for 2021. commit d4604ad Author: Bruce A. Mah <bmah@es.net> Date: Fri Jan 15 08:02:52 2021 -0800 fix: Minor memory leak with -P. (esnet#1103) For every new connection we saved the name of the congestion control algorithm, but if there were multiple connections we'd leak all but the last name. Fixes esnet#1100. commit 35eb7e7 Author: Bruce A. Mah <bmah@es.net> Date: Tue Dec 22 15:52:24 2020 -0800 enh: Support SO_BINDTODEVICE (esnet#1097) This lets iperf work better with multi-homed machines and VRF. Fixes esnet#1089. Based on a patch by Ben Greear <greearb@candelatech.com> via PR esnet#817. Co-authored-by: Ben Greear <greearb@candelatech.com> commit e613604 Author: Tony Weng <42433350+hyswtj@users.noreply.github.com> Date: Tue Dec 22 02:29:36 2020 +0800 fix (tcp): Fix behavior with partial sends when using -k with TCP (esnet#1082) We now only count an attempted send once all of its bytes are sent (and will perform partial sends if necessary to finish sending all the bytes). Previously, partial sends were counted as completed, for the purpose of the -k option. commit 18ed675 Author: jtluka <jtluka@redhat.com> Date: Wed Dec 16 02:54:05 2020 +0100 iperf_server_api: start calculating CPU utilization right before TEST_START (esnet#1077) Fixes issue 1076. Signed-off-by: Jan Tluka <jtluka@redhat.com> commit 6834f61 Author: Bruce A. Mah <bmah@es.net> Date: Mon Dec 7 14:10:56 2020 -0800 Issue 1079 (esnet#1091) * docs: Add a few notes about RSA key formats used for auth. * enh(auth): If we can't read key files, emit appropriate OpenSSL error. Fixes esnet#1079. commit 77dafba Author: David Bar-On <61089727+davidBar-On@users.noreply.github.com> Date: Fri Dec 4 18:26:53 2020 +0200 Bitrate throttling when burst is specified (esnet#1090) When the -b option specifies a burst value, throttling the bitrate does not work. This is because iperf_check_throttle() does not perform the check when burst value was defined. This change removes the dependency of iperf_check_throttle() on the burst value and moves that check to the caller of that function. (Except for the call by send_timer_proc() which does not seem to be related to the change.) commit 29a709d Author: David Bar-On <61089727+davidBar-On@users.noreply.github.com> Date: Fri Dec 4 18:19:08 2020 +0200 Closing server prot_listener socket after stream setup failure (esnet#1084) Making sure the server closes prot_listener socket at the end of a session with a client. Without this change the socket may remain open, for example when there is a failure during the UDP stream establishment because the --window value is too high. Closing the socket was added to cleanup_server() as it seems to handle all cases where the socket may remain open. commit b286f82 Author: Bruce A. Mah <bmah@es.net> Date: Tue Dec 1 09:14:36 2020 -0800 fix: Hide auth diagnostics behind --debug to avoid polluting JSON output. (esnet#1087) Fixes esnet#1086. While here, fix wording of an error message. commit e3d86bb Author: ralcini <roberto.alcini@gmail.com> Date: Thu Nov 12 02:27:47 2020 +0100 Configurable value for time drift between client/server for authentication request issue1065 (esnet#1070) * Issue 1065 * feat: Allow to configure a custom value for time drift between client/server for authentication The use case is to support scenarios where it's not possible to enforce sync between client and server times. * enh: drift redefined with skew Co-authored-by: Francesco Marino <francesco.marino@cybaze.it> commit f853b68 Author: Brian Tierney <tierney@nersc-tbn-1.testbed100.es.net> Date: Fri Jun 4 15:31:34 2021 -0700 add a sleep of 1 second to even numbered streams for CC testing commit 592ff1f Author: Brian Tierney <bltierney@gmail.com> Date: Mon May 10 14:40:01 2021 -0700 added random sleep commit c2fcd0a Author: Brian Tierney <bltierney@gmail.com> Date: Wed Nov 4 09:01:03 2020 -0800 version that only applies -C flag to even numbered streams, and leave the others as the system default
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Context
While discussing PR #1133, I realized there is a buffer overflow hazard and an incorrect return value on iperf_printf()
Version of iperf3:
master as of 53a6830
Hardware:
All
Operating system (and distribution, if any):
All
Other relevant information (for example, non-default compilers,
libraries, cross-compiling, etc.):
Found in code inspection. I have not verified if callers allow
iperf_printf()
to overflow buffers, but it appears possible.Bug Report
iperf_printf()
is called.Actual Behavior
iperf_printf()
uses an internal bufferlinebuffer[1024]
without bounds checking, and with incorrect bounds checking in vsnprintf().iperf_printf()
returns incorrect number of characters written. The returned count does not include the timestamp or title written to output.Steps to Reproduce
None
Possible Solution
Use of
snprintf()
Correct use of
vsnprintf()
Please submit patches or code changes as a pull request.
I will attempt this fix unless someone jumps on it in the next few days.
The text was updated successfully, but these errors were encountered: