[Boost-bugs] [Boost C++ Libraries] #13111: Out-of-bounds access for asio consuming buffers

Date view Thread view Subject view Author view

Subject: [Boost-bugs] [Boost C++ Libraries] #13111: Out-of-bounds access for asio consuming buffers
From: Boost C++ Libraries (noreply_at_[hidden])
Date: 2017-07-07 14:37:53

#13111: Out-of-bounds access for asio consuming buffers
------------------------------+----------------------------
 Reporter: ben@… | Owner: chris_kohlhoff
     Type: Bugs | Status: new
Milestone: To Be Determined | Component: asio
  Version: Boost 1.66.0 | Severity: Problem
 Keywords: |
------------------------------+----------------------------
 I have not seen a fix for this in Github for the latest version

 https://github.com/boostorg/asio/blob/develop/include/boost/asio/detail/consuming_buffers.hpp

 The issue was found by a coverity scan. All calls to buffers_.end() are
 being flagged as out-of-bounds access, there is potential for memory
 corruption here. Coverity is flagging these as High Impacting.

 Coverity output is below:

 {{{

 207  // Get a forward-only iterator to the first element.
 208  const_iterator begin() const
 209  {

 1. address_of: Taking address with this->buffers_ yields a singleton
 pointer.

 CID 336466: Out-of-bounds access (ARRAY_VS_SINGLETON)2. callee_ptr_arith:
 Passing this->buffers_ to function end which uses it as an array. This
 might corrupt or misinterpret adjacent memory locations.
 210    return const_iterator(at_end_, first_,
 211        begin_remainder_, buffers_.end(), max_size_);
 212  }
 213

 â€¦

 226  // Consume the specified number of bytes from the buffers.
 227  void consume(std::size_t size)
 228  {
 229    // Remove buffers from the start until the specified size is
 reached.

 1. Condition size > 0, taking true branch.

 2. Condition !this->at_end_, taking true branch.
 230    while (size > 0 && !at_end_)
 231    {

 3. Condition boost::asio::buffer_size(this->first_) <= size, taking true
 branch.
 232      if (buffer_size(first_) <= size)
 233      {
 234        size -= buffer_size(first_);

 4. address_of: Taking address with this->buffers_ yields a singleton
 pointer.

 CID 336464: Out-of-bounds access (ARRAY_VS_SINGLETON)5. callee_ptr_arith:
 Passing this->buffers_ to function end which uses it as an array. This
 might corrupt or misinterpret adjacent memory locations.
 235        if (begin_remainder_ == buffers_.end())
 236          at_end_ = true;
 237        else
 238          first_ = *begin_remainder_++;
 239      }
 240      else
 241      {
 242        first_ = first_ + size;
 243        size = 0;
 244      }
 245    }

 â€¦

 247    // Remove any more empty buffers at the start.

 12. Condition !this->at_end_, taking true branch.

 13. Condition boost::asio::buffer_size(this->first_) == 0, taking true
 branch.
 248    while (!at_end_ && buffer_size(first_) == 0)
 249    {

 14. address_of: Taking address with this->buffers_ yields a singleton
 pointer.

 CID 336464: Out-of-bounds access (ARRAY_VS_SINGLETON)15. callee_ptr_arith:
 Passing this->buffers_ to function end which uses it as an array. This
 might corrupt or misinterpret adjacent memory locations.
 250      if (begin_remainder_ == buffers_.end())
 251        at_end_ = true;
 252      else
 253        first_ = *begin_remainder_++;
 254    }
 255  }

 â€¦

 }}} 

-- 
Ticket URL: <https://svn.boost.org/trac10/boost/ticket/13111>
Boost C++ Libraries <http://www.boost.org/>
Boost provides free peer-reviewed portable C++ source libraries.
Date view Thread view Subject view Author view

This archive was generated by hypermail 2.1.7 : 2017-07-07 14:42:00 UTC