Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SEGV in function Iec104_Deal_FirmUpdate #17

Open
umxyz opened this issue Sep 23, 2019 · 0 comments
Open

SEGV in function Iec104_Deal_FirmUpdate #17

umxyz opened this issue Sep 23, 2019 · 0 comments

Comments

@umxyz
Copy link

umxyz commented Sep 23, 2019

I used gcc 5.4.0 with CFLAGS=-g -fsanitize=address CXXFLAGS=-g -fsanitize=address LDFLAGS=-fsanitize=address to compile the IEC104, and use LD_PRELOAD=/root/preeny/x86_64-linux-gnu/desock.so ./iec104_monitor -m server -n 1 < test_case to run the program, while I found a SEGV in IEC10X/Iec104.c function Iec104_Deal_FirmUpdate.

here is the code:

if(CsumTemp == csum){
                    LOG("-%s-,data:%d,Len:%d,seek:%d \n",__FUNCTION__,FlagNum,DataLen,Iec10x_Update_SeekAddr);
                    for(i=0; i<3; i++){
                        ret = IEC10X->SaveFirmware(DataLen,DataPtr,FirmwareType, Iec10x_Update_SeekAddr);
                        if(ret == RET_SUCESS)
                            break;
                    }
                    if(ret == RET_ERROR){
                        LOG("save firmware error \n");
                        break;
                    }

                    FirmFlagCount = FlagNum;
                    Iec10x_Update_SeekAddr+=DataLen;
                }

seems that you do not check the situation where DataLen and FirmwareType become unexpected, which causes the program to exit unexpectedly.

the ASAN output

Register "Linux" IEC104 Success, < HuiXing 2014-2015 > ...
mode :(0), port: (0), ip: (), station num: (1)
Iec104 Server Mode
Iec104 Socket Ok(10000) !
Iec104 Bind Ok(10000) !
Iec104 Listen Ok(10000)
feilong:Iec104 Listen Ok(10000)
feilong:Waiting for connection
Accept ok!
Server start get connect from 0 : 0x2328
#####################received
[DumpHEX]Length:260
68:00:68:00:68:00:68:0f    68:00:00:00:02:00:00:68
00:00:00:70:68:01:4e:68    0f:68:00:68:00:6e:21:00
68:00:00:68:7f:00:68:00    68:01:13:68:0f:68:00:68
00:80:01:0e:10:00:00:00    68:00:48:00:68:0f:68:00
68:00:80:00:00:68:00:00    00:70:68:01:70:68:0f:68
00:68:00:6e:21:00:68:00    00:68:68:00:68:00:68:01
13:68:0f:68:00:68:00:80    01:0e:10:00:68:00:68:00
68:00:68:0f:68:00:00:00    02:00:00:68:00:00:00:70
68:01:4e:68:0f:68:00:68    00:6e:21:00:68:00:00:68
7f:00:68:00:68:01:13:68    0f:68:00:68:00:80:01:0e
10:00:00:00:68:00:48:00    68:0f:83:00:68:00:80:00
00:68:00:00:00:70:68:01    70:68:0f:68:00:68:00:6e
21:00:68:00:00:68:68:00    68:00:68:01:13:68:0f:68
00:68:00:80:01:0e:10:00    00:00:68:00:48:00:68:10
68:00:82:00:80:01:0e:00    00:00:00:68:00:01:00:00
ff:68:00:82:00:80:01:ff    00:00:00:00:68:00:48:00
0e:10:00:00
-Iex104_Receive-,Frame Type I
Receive Pakage I(52,52), Send(0,0)
-Iec104_Deal_I-, error Type(104)
-Iex104_Receive-,Frame Type I
-Iec104_Deal_I-, error asdu addr(0)(2)
-Iex104_Receive-,Frame Type I
-Iec104_Deal_I-, error asdu addr(0)(6800)
-Iex104_Receive-,Frame Type I
Receive Pakage I(52,0), Send(0,53)
-Iec104_Deal_SN-, error,send last(52),now(52). recv last(52),now(0)
-Iex104_Receive-,Frame Type I
Receive Pakage I(52,52), Send(0,53)
-Iec104_Deal_I-, error Type(110)
-Iex104_Receive-,Frame Type U
>Iec104_Deal_U<, function STOPDT
IEC10X_Enqueue,Prio(0) elementNum(0)len(6)(6)
-Iex104_Receive-,Frame Type I
Receive Pakage I(52,52), Send(0,53)
++++Asdu Type Firmware Update...
update flag error! need:1,flag:72
-Iex104_Receive-,Frame Type I
Receive Pakage I(52,52), Send(0,53)
++++Asdu Type Firmware Update...
-Iec104_Deal_FirmUpdate-,data:28673,Len:17 error cot:
-Iex104_Receive-,Frame Type I
Receive Pakage I(52,52), Send(0,53)
-Iec104_Deal_I-, error Type(110)
-Iex104_Receive-,Frame Type U
>Iec104_Deal_U<, function STOPDT
IEC10X_Enqueue,Prio(0) elementNum(1)len(6)(6)
-Iex104_Receive-,Frame Type I
-Iec104_Deal_I-, error asdu addr(0)(6800)
-Iex104_Receive-,Frame Type I
Receive Pakage I(52,0), Send(0,53)
-Iec104_Deal_SN-, error,send last(52),now(52). recv last(52),now(0)
-Iex104_Receive-,Frame Type I
Receive Pakage I(52,52), Send(0,53)
-Iec104_Deal_I-, error Type(110)
-Iex104_Receive-,Frame Type U
>Iec104_Deal_U<, function STOPDT
IEC10X_Enqueue,Prio(0) elementNum(2)len(6)(6)
-Iex104_Receive-,Frame Type I
Receive Pakage I(52,52), Send(0,53)
++++Asdu Type Firmware Update...
update flag error! need:1,flag:72
-Iex104_Receive-,Frame Type U
>Iec104_Deal_U<, function TESTER ACK
-Iex104_Receive-,Frame Type I
Receive Pakage I(52,52), Send(0,53)
-Iec104_Deal_I-, error Type(110)
-Iex104_Receive-,Frame Type U
>Iec104_Deal_U<, function STOPDT
IEC10X_Enqueue,Prio(0) elementNum(3)len(6)(6)
-Iex104_Receive-,Frame Type I
Receive Pakage I(52,52), Send(0,53)
++++Asdu Type Firmware Update...
update flag error! need:1,flag:72
-Iex104_Receive-,Frame Type I
Receive Pakage I(52,65), Send(0,53)
++++Asdu Type Firmware Update...  
-Iec104_Deal_FirmUpdate-,data:1,Len:0,seek:0 
ASAN:SIGSEGV
=================================================================
==29593==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000000000 bp 0x7fff4b4c5720 sp 0x7fff4b4c5618 T0)         ==29593==Hint: pc points to the zero page.

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==29593==ABORTING
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@umxyz