Opened 5 years ago
#13111 new Bugs
Out-of-bounds access for asio consuming buffers
| Reported by: | Owned by: | chris_kohlhoff | |
|---|---|---|---|
| Milestone: | To Be Determined | Component: | asio |
| Version: | Boost 1.66.0 | Severity: | Problem |
| Keywords: | Cc: |
Description
I have not seen a fix for this in Github for the latest version
https://github.com/boostorg/asio/blob/develop/include/boost/asio/detail/consuming_buffers.hpp
The issue was found by a coverity scan. All calls to buffers_.end() are being flagged as out-of-bounds access, there is potential for memory corruption here. Coverity is flagging these as High Impacting.
Coverity output is below:
207 // Get a forward-only iterator to the first element.
208 const_iterator begin() const
209 {
1. address_of: Taking address with this->buffers_ yields a singleton pointer.
CID 336466: Out-of-bounds access (ARRAY_VS_SINGLETON)2. callee_ptr_arith: Passing this->buffers_ to function end which uses it as an array. This might corrupt or misinterpret adjacent memory locations.
210 return const_iterator(at_end_, first_,
211 begin_remainder_, buffers_.end(), max_size_);
212 }
213
…
226 // Consume the specified number of bytes from the buffers.
227 void consume(std::size_t size)
228 {
229 // Remove buffers from the start until the specified size is reached.
1. Condition size > 0, taking true branch.
2. Condition !this->at_end_, taking true branch.
230 while (size > 0 && !at_end_)
231 {
3. Condition boost::asio::buffer_size(this->first_) <= size, taking true branch.
232 if (buffer_size(first_) <= size)
233 {
234 size -= buffer_size(first_);
4. address_of: Taking address with this->buffers_ yields a singleton pointer.
CID 336464: Out-of-bounds access (ARRAY_VS_SINGLETON)5. callee_ptr_arith: Passing this->buffers_ to function end which uses it as an array. This might corrupt or misinterpret adjacent memory locations.
235 if (begin_remainder_ == buffers_.end())
236 at_end_ = true;
237 else
238 first_ = *begin_remainder_++;
239 }
240 else
241 {
242 first_ = first_ + size;
243 size = 0;
244 }
245 }
…
247 // Remove any more empty buffers at the start.
12. Condition !this->at_end_, taking true branch.
13. Condition boost::asio::buffer_size(this->first_) == 0, taking true branch.
248 while (!at_end_ && buffer_size(first_) == 0)
249 {
14. address_of: Taking address with this->buffers_ yields a singleton pointer.
CID 336464: Out-of-bounds access (ARRAY_VS_SINGLETON)15. callee_ptr_arith: Passing this->buffers_ to function end which uses it as an array. This might corrupt or misinterpret adjacent memory locations.
250 if (begin_remainder_ == buffers_.end())
251 at_end_ = true;
252 else
253 first_ = *begin_remainder_++;
254 }
255 }
…
Note:
See TracTickets
for help on using tickets.
