[systemd-devel] bad memory access in test-dhcp6-client

[Zbigniew Jędrzejewski-Szmek]

Hi,
when systemd is compiled with --enable-address-sanitizer, $subject happens:

$ build/test-dhcp6-client 
Assertion 'interface_index >= -1' failed at ../src/libsystemd-network/sd-dhcp6-client.c:129, function sd_dhcp6_client_set_index(). Ignoring.
=================================================================
==29135==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fe204aa9148 at pc 0x7fe204a5958f bp 0x7fff3e47d470 sp 0x7fff3e47d460
READ of size 1 at 0x7fe204aa9148 thread T0
    #0 0x7fe204a5958e in option_parse_hdr ../src/libsystemd-network/dhcp6-option.c:145
    #1 0x7fe204a59884 in dhcp6_option_parse ../src/libsystemd-network/dhcp6-option.c:165
    #2 0x7fe204a4eb9c in test_advertise_option ../src/libsystemd-network/test-dhcp6-client.c:227
    #3 0x7fe204a51c58 in main ../src/libsystemd-network/test-dhcp6-client.c:584
    #4 0x7fe2031590df in __libc_start_main (/lib64/libc.so.6+0x200df)
    #5 0x7fe204a4cc5b (/home/test/systemd/build/test-dhcp6-client+0x25c5b)

0x7fe204aa9148 is located 2 bytes to the right of global variable 'msg_advertise' from '../src/libsystemd-network/test-dhcp6-client.c' (0x7fe204aa9080) of size 198
0x7fe204aa9148 is located 56 bytes to the left of global variable 'msg_reply' from '../src/libsystemd-network/test-dhcp6-client.c' (0x7fe204aa9180) of size 173
SUMMARY: AddressSanitizer: global-buffer-overflow ../src/libsystemd-network/dhcp6-option.c:145 option_parse_hdr
Shadow bytes around the buggy address:
  0x0ffcc094d1d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffcc094d1e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffcc094d1f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffcc094d200: 06 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x0ffcc094d210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ffcc094d220: 00 00 00 00 00 00 00 00 06[f9]f9 f9 f9 f9 f9 f9
  0x0ffcc094d230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffcc094d240: 00 00 00 00 00 05 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0ffcc094d250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffcc094d260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffcc094d270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==29135==ABORTING