miniupnp: Sanitizer errors in miniupnpd

I compiled today’s version of miniupnpd from git repository with export CC='clang-10 -g -fstandalone-debug -ffp-model=strict -fvisibility=hidden -fsanitize=address,undefined,cfi -fno-common -fno-omit-frame-pointer -fsanitize-address-use-after-scope -flto -fno-sanitize-recover=all'

Then I tried to start miniupnpd with environment variables ASAN_OPTIONS=detect_leaks=1:detect_stack_use_after_return=1:check_initialization_order=1:strict_string_checks=1:detect_invalid_pointer_pairs=2:abort_on_error=1 and UBSAN_OPTIONS=print_stacktrace=1.

Then miniupnpd immediately stops with the following error given by the address sanitizer:

May 29 06:30:51 router1 systemd[1]: Started UPnP Internet Gateway Device Daemon.
May 29 06:30:51 router1 miniupnpd[14603]: miniupnpd[14603]: system uptime is 41112 seconds
May 29 06:30:51 router1 miniupnpd[14603]: system uptime is 41112 seconds
May 29 06:30:51 router1 miniupnpd[14603]: miniupnpd[14603]: Reloading rules from lease file
May 29 06:30:51 router1 miniupnpd[14603]: miniupnpd[14603]: version 2.1 starting NAT-PMP/PCP UPnP-IGD ext if ip6tnl1 BOOTID=1590701451
May 29 06:30:51 router1 miniupnpd[14603]: Reloading rules from lease file
May 29 06:30:51 router1 miniupnpd[14603]: miniupnpd[14603]: HTTP listening on port 37563
May 29 06:30:51 router1 miniupnpd[14603]: version 2.1 starting NAT-PMP/PCP UPnP-IGD ext if ip6tnl1 BOOTID=1590701451
May 29 06:30:51 router1 miniupnpd[14603]: HTTP listening on port 37563
May 29 06:30:51 router1 miniupnpd[14603]: miniupnpd[14603]: HTTP IPv6 address given to control points : [2400:4050:2ba1:ac00:99:f0ae:8600:2c00]
May 29 06:30:51 router1 miniupnpd[14603]: miniupnpd[14603]: Listening for NAT-PMP/PCP traffic on port 5351
May 29 06:30:51 router1 miniupnpd[14603]: HTTP IPv6 address given to control points : [2400:4050:2ba1:ac00:99:f0ae:8600:2c00]
May 29 06:30:51 router1 miniupnpd[14603]: =================================================================
May 29 06:30:51 router1 miniupnpd[14603]: Listening for NAT-PMP/PCP traffic on port 5351
May 29 06:30:51 router1 miniupnpd[14603]: ==14603==ERROR: AddressSanitizer: global-buffer-overflow on address 0x564c461e7550 at pc 0x564c4608f929 bp 0x7ffeb979c220 sp 0x7ffeb979b9c8
May 29 06:30:51 router1 miniupnpd[14603]: READ of size 27 at 0x564c461e7550 thread T0
May 29 06:30:51 router1 miniupnpd[14603]:     #0 0x564c4608f928 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) (/home/ryutaroh/miniupnp/miniupnpd/miniupnpd+0xaf928)
May 29 06:30:51 router1 miniupnpd[14603]:     #1 0x564c4608fe1a in memcmp (/home/ryutaroh/miniupnp/miniupnpd/miniupnpd+0xafe1a)
May 29 06:30:51 router1 miniupnpd[14603]:     #2 0x564c461718c7 in SendSSDPNotifies /home/ryutaroh/miniupnp/miniupnpd/minissdp.c:801:10
May 29 06:30:51 router1 miniupnpd[14603]:     #3 0x564c461707ac in SendSSDPNotifies2 /home/ryutaroh/miniupnp/miniupnpd/minissdp.c:833:3
May 29 06:30:51 router1 miniupnpd[14603]:     #4 0x564c46122db3 in main /home/ryutaroh/miniupnp/miniupnpd/miniupnpd.c:2463:6
May 29 06:30:51 router1 miniupnpd[14603]:     #5 0x7f1222d06e0a in __libc_start_main csu/../csu/libc-start.c:308:16
May 29 06:30:51 router1 miniupnpd[14603]:     #6 0x564c460788b9 in _start (/home/ryutaroh/miniupnp/miniupnpd/miniupnpd+0x988b9)
May 29 06:30:51 router1 miniupnpd[14603]: 0x564c461e7550 is located 48 bytes to the left of global variable '<string literal>' defined in 'minissdp.c:603:3' (0x564c461e7580) of size 51
May 29 06:30:51 router1 miniupnpd[14603]:   '<string literal>' is ascii string 'urn:schemas-upnp-org:device:InternetGatewayDevice:'
May 29 06:30:51 router1 miniupnpd[14603]: 0x564c461e7550 is located 0 bytes to the right of global variable '<string literal>' defined in 'minissdp.c:601:3' (0x564c461e7540) of size 16
May 29 06:30:51 router1 miniupnpd[14603]:   '<string literal>' is ascii string 'upnp:rootdevice'
May 29 06:30:51 router1 miniupnpd[14603]: SUMMARY: AddressSanitizer: global-buffer-overflow (/home/ryutaroh/miniupnp/miniupnpd/miniupnpd+0xaf928) in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long)
May 29 06:30:51 router1 miniupnpd[14603]: Shadow bytes around the buggy address:
May 29 06:30:51 router1 miniupnpd[14603]:   0x0aca08c34e50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
May 29 06:30:51 router1 miniupnpd[14603]:   0x0aca08c34e60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
May 29 06:30:51 router1 miniupnpd[14603]:   0x0aca08c34e70: 00 01 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 00 00 03 f9
May 29 06:30:51 router1 miniupnpd[14603]:   0x0aca08c34e80: f9 f9 f9 f9 00 00 01 f9 f9 f9 f9 f9 00 00 00 06
May 29 06:30:51 router1 miniupnpd[14603]:   0x0aca08c34e90: f9 f9 f9 f9 00 00 00 06 f9 f9 f9 f9 00 00 00 00
May 29 06:30:51 router1 miniupnpd[14603]: =>0x0aca08c34ea0: 01 f9 f9 f9 f9 f9 f9 f9 00 00[f9]f9 f9 f9 f9 f9
May 29 06:30:51 router1 miniupnpd[14603]:   0x0aca08c34eb0: 00 00 00 00 00 00 03 f9 f9 f9 f9 f9 00 00 00 00
May 29 06:30:51 router1 miniupnpd[14603]:   0x0aca08c34ec0: 00 00 01 f9 f9 f9 f9 f9 00 00 00 00 07 f9 f9 f9
May 29 06:30:51 router1 miniupnpd[14603]:   0x0aca08c34ed0: f9 f9 f9 f9 00 00 00 00 00 06 f9 f9 f9 f9 f9 f9
May 29 06:30:51 router1 miniupnpd[14603]:   0x0aca08c34ee0: 00 00 00 00 00 07 f9 f9 f9 f9 f9 f9 00 00 00 00
May 29 06:30:51 router1 miniupnpd[14603]:   0x0aca08c34ef0: 00 00 05 f9 f9 f9 f9 f9 00 00 00 00 00 00 07 f9
May 29 06:30:51 router1 miniupnpd[14603]: Shadow byte legend (one shadow byte represents 8 application bytes):
May 29 06:30:51 router1 miniupnpd[14603]:   Addressable:           00
May 29 06:30:51 router1 miniupnpd[14603]:   Partially addressable: 01 02 03 04 05 06 07
May 29 06:30:51 router1 miniupnpd[14603]:   Heap left redzone:       fa
May 29 06:30:51 router1 miniupnpd[14603]:   Freed heap region:       fd
May 29 06:30:51 router1 miniupnpd[14603]:   Stack left redzone:      f1
May 29 06:30:51 router1 miniupnpd[14603]:   Stack mid redzone:       f2
May 29 06:30:51 router1 miniupnpd[14603]:   Stack right redzone:     f3
May 29 06:30:51 router1 miniupnpd[14603]:   Stack after return:      f5
May 29 06:30:51 router1 miniupnpd[14603]:   Stack use after scope:   f8
May 29 06:30:51 router1 miniupnpd[14603]:   Global redzone:          f9
May 29 06:30:51 router1 miniupnpd[14603]:   Global init order:       f6
May 29 06:30:51 router1 miniupnpd[14603]:   Poisoned by user:        f7
May 29 06:30:51 router1 miniupnpd[14603]:   Container overflow:      fc
May 29 06:30:51 router1 miniupnpd[14603]:   Array cookie:            ac
May 29 06:30:51 router1 miniupnpd[14603]:   Intra object redzone:    bb
May 29 06:30:51 router1 miniupnpd[14603]:   ASan internal:           fe
May 29 06:30:51 router1 miniupnpd[14603]:   Left alloca redzone:     ca
May 29 06:30:51 router1 miniupnpd[14603]:   Right alloca redzone:    cb
May 29 06:30:51 router1 miniupnpd[14603]:   Shadow gap:              cc
May 29 06:30:51 router1 miniupnpd[14603]: ==14603==ABORTING
May 29 06:30:51 router1 systemd[1]: miniupnpd.service: Main process exited, code=killed, status=6/ABRT

Is it OK for the address sanitizer giving such an error? It doesn’t seem so …

My OS is Debian Linux Bullseye on amd64. miniupnpd is compiled as ./configure --debug --ipv6 --igd2 --leasefile --vendorcfg --pcp-peer --portinuse --disable-pppconn --firewall=nftables with the following changes to config.h

--- config.h-oritinal	2020-05-29 06:17:26.118915083 +0900
+++ config.h	2020-05-29 06:17:38.286885181 +0900
@@ -55,7 +55,7 @@
 /* Comment the following line to disable PCP PEER operation */
 #define PCP_PEER
 #ifdef PCP_PEER
-/*#define PCP_FLOWP*/
+#define PCP_FLOWP
 #endif /*PCP_PEER*/
 /*#define PCP_SADSCP*/
 #endif /*ENABLE_PCP*/
@@ -88,7 +88,7 @@
 /* Uncomment the following line to enable lease file support */
 #define ENABLE_LEASEFILE
 /* Uncomment the following line to store remaining time in lease file */
-/*#define LEASEFILE_USE_REMAINING_TIME*/
+#define LEASEFILE_USE_REMAINING_TIME
 
 /* Uncomment the following line to enable port in use check */
 #define CHECK_PORTINUSE
@@ -151,7 +151,7 @@
 #define SSDP_RESPOND_SAME_VERSION
 
 /* Add the optional Date: header in all HTTP responses */
-/*#define ENABLE_HTTP_DATE*/
+#define ENABLE_HTTP_DATE
 
 /* Wait a little before answering M-SEARCH request */
 /*#define DELAY_MSEARCH_RESPONSE*/
@@ -171,7 +171,7 @@
 #define USE_TIME_AS_BOOTID
 
 /* With the following macro defined, a random string is prepended to all URLs */
-/*#define RANDOMIZE_URLS*/
+#define RANDOMIZE_URLS
 
 /* maximum length of SSDP packets we are generating
  * (reception is done in a 1500byte buffer) */

I use systemd to start miniupnpd. systemd service file is

[Unit]
Description=UPnP Internet Gateway Device Daemon
Documentation=man:miniupnpd(8)
After=network-online.target

[Service]
Type=simple
Environment="LANG=C.UTF-8" "ASAN_OPTIONS=detect_leaks=1:detect_stack_use_after_return=1:check_initialization_order=1:strict_string_checks=1:detect_invalid_pointer_pairs=2:abort_on_error=1" "UBSAN_OPTIONS=print_stacktrace=1"
ExecStartPre=/etc/miniupnpd/nft_init.sh -i ip6tnl1
#ExecStart=/usr/bin/gdb --batch -ex "run -d -f /etc/miniupnpd/miniupnpd.conf" -ex "info stack" -ex "info local" /home/ryutaroh/miniupnp/miniupnpd/miniupnpd
ExecStart=/home/ryutaroh/miniupnp/miniupnpd/miniupnpd -d -f /etc/miniupnpd/miniupnpd.conf
ExecStopPost=/etc/miniupnpd/nft_removeall.sh -i ip6tnl1
PrivateTmp=yes
PIDFile=/run/miniupnpd.pid

[Install]
WantedBy=multi-user.target

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 26 (11 by maintainers)

Commits related to this issue

Most upvoted comments

the 2 last SAN error should be fixed now. Thank you for your reports.

They were both in code that I have insufficiently reviewed before merging and which is very seldom used, as most usage of miniupnpd is for IGD v1

+1
miniupnp on Jun 5, 2020
Read more comments on GitHub
← miniupnp: miniupnpd-nftables 2.3.0 on OpenWrt 22.03.0: get/deleteportmapping: Wrong results.
miniupnp: Update rule timeout on request (nft ipv6) →