oss-sec mailing list archives

Memory leak in libiec61850

From: Dhiraj Mishra <mishra.dhiraj95 () gmail com>
Date: Fri, 11 Jan 2019 23:44:02 +0530
Hi List,

## Summary:
An issue has been found in libIEC61850 v1.3.1. Memory_malloc and
Memory_calloc in hal/memory/lib_memory.c have memory leaks when called from
mms/iso_mms/common/mms_value.c, server/mms_mapping/mms_mapping.c, and
server/mms_mapping/mms_sv.c (via common/string_utilities.c), as
demonstrated by iec61850_9_2_LE_example.c.

## Snip code from mms_value.c#L1583-L1600:
    self->value.visibleString.buf = (char*) GLOBAL_MALLOC(size + 1);

    if (self->value.visibleString.buf == NULL) {
        GLOBAL_FREEMEM(self);
        self = NULL;
        goto exit_function;
    }

    self->value.visibleString.buf[0] = 0;

    exit_function:
    return self;
}

MmsValue*
MmsValue_newVisibleStringWithSize(int size)
{

## Memory leak:

==23314==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 260 byte(s) in 2 object(s) allocated from:
    #0 0x7fd669c33b50 in __interceptor_malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
    #1 0x55f220071c7c in Memory_malloc
/home/input0/Desktop/libiec61850/hal/memory/lib_memory.c:47
    #2 0x55f21ff7390d in MmsValue_newStringWithSize
/home/input0/Desktop/libiec61850/src/mms/iso_mms/common/mms_value.c:1583
    #3 0x55f21ff73a80 in MmsValue_newVisibleStringWithSize
/home/input0/Desktop/libiec61850/src/mms/iso_mms/common/mms_value.c:1600
    #4 0x55f21ff72d0d in MmsValue_newDefaultValue
/home/input0/Desktop/libiec61850/src/mms/iso_mms/common/mms_value.c:1457
    #5 0x55f21ff72203 in MmsValue_newStructure
/home/input0/Desktop/libiec61850/src/mms/iso_mms/common/mms_value.c:1391
    #6 0x55f21ffafcf7 in LIBIEC61850_SV_createSVControlBlocks
/home/input0/Desktop/libiec61850/src/iec61850/server/mms_mapping/mms_sv.c:428
    #7 0x55f21ff8df69 in createNamedVariableFromLogicalNode
/home/input0/Desktop/libiec61850/src/iec61850/server/mms_mapping/mms_mapping.c:1090
    #8 0x55f21ff8ea2f in createMmsDomainFromIedDevice
/home/input0/Desktop/libiec61850/src/iec61850/server/mms_mapping/mms_mapping.c:1193
    #9 0x55f21ff8ec8d in createMmsDataModel
/home/input0/Desktop/libiec61850/src/iec61850/server/mms_mapping/mms_mapping.c:1215
    #10 0x55f21ff8f2ef in createMmsModelFromIedModel
/home/input0/Desktop/libiec61850/src/iec61850/server/mms_mapping/mms_mapping.c:1298
    #11 0x55f21ff8f5a8 in MmsMapping_create
/home/input0/Desktop/libiec61850/src/iec61850/server/mms_mapping/mms_mapping.c:1344
    #12 0x55f21ff7a565 in IedServer_createWithConfig
/home/input0/Desktop/libiec61850/src/iec61850/server/impl/ied_server.c:430
    #13 0x55f21ff7abcb in IedServer_create
/home/input0/Desktop/libiec61850/src/iec61850/server/impl/ied_server.c:483
    #14 0x55f21ff66cf7 in main
/home/input0/Desktop/libiec61850/examples/iec61850_9_2_LE_example/iec61850_9_2_LE_example.c:119
    #15 0x7fd6691c8b96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

Direct leak of 216 byte(s) in 17 object(s) allocated from:
    #0 0x7fd669c33d38 in __interceptor_calloc
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded38)
    #1 0x55f220071cb5 in Memory_calloc
/home/input0/Desktop/libiec61850/hal/memory/lib_memory.c:59
    #2 0x55f21ff72045 in MmsValue_newStructure
/home/input0/Desktop/libiec61850/src/mms/iso_mms/common/mms_value.c:1386
    #3 0x55f21ff72ecd in MmsValue_newDefaultValue
/home/input0/Desktop/libiec61850/src/mms/iso_mms/common/mms_value.c:1479
    #4 0x55f21ff72203 in MmsValue_newStructure
/home/input0/Desktop/libiec61850/src/mms/iso_mms/common/mms_value.c:1391
    #5 0x55f21ff72ecd in MmsValue_newDefaultValue
/home/input0/Desktop/libiec61850/src/mms/iso_mms/common/mms_value.c:1479
    #6 0x55f21ff791b4 in createMmsServerCache
/home/input0/Desktop/libiec61850/src/iec61850/server/impl/ied_server.c:207
    #7 0x55f21ff7aa4d in IedServer_createWithConfig
/home/input0/Desktop/libiec61850/src/iec61850/server/impl/ied_server.c:453
    #8 0x55f21ff7abcb in IedServer_create
/home/input0/Desktop/libiec61850/src/iec61850/server/impl/ied_server.c:483
    #9 0x55f21ff66cf7 in main
/home/input0/Desktop/libiec61850/examples/iec61850_9_2_LE_example/iec61850_9_2_LE_example.c:119
    #10 0x7fd6691c8b96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
.....

Later CVE-2019-6138 was assigned to this issue.


Thank you
@mishradhiraj_
Current thread:

Memory leak in libiec61850 Dhiraj Mishra (Jan 11)