oss-sec mailing list archives
Memory leak in libiec61850
From: Dhiraj Mishra <mishra.dhiraj95 () gmail com>
Date: Fri, 11 Jan 2019 23:44:02 +0530
Hi List, ## Summary: An issue has been found in libIEC61850 v1.3.1. Memory_malloc and Memory_calloc in hal/memory/lib_memory.c have memory leaks when called from mms/iso_mms/common/mms_value.c, server/mms_mapping/mms_mapping.c, and server/mms_mapping/mms_sv.c (via common/string_utilities.c), as demonstrated by iec61850_9_2_LE_example.c. ## Snip code from mms_value.c#L1583-L1600: self->value.visibleString.buf = (char*) GLOBAL_MALLOC(size + 1); if (self->value.visibleString.buf == NULL) { GLOBAL_FREEMEM(self); self = NULL; goto exit_function; } self->value.visibleString.buf[0] = 0; exit_function: return self; } MmsValue* MmsValue_newVisibleStringWithSize(int size) { ## Memory leak: ==23314==ERROR: LeakSanitizer: detected memory leaks Direct leak of 260 byte(s) in 2 object(s) allocated from: #0 0x7fd669c33b50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50) #1 0x55f220071c7c in Memory_malloc /home/input0/Desktop/libiec61850/hal/memory/lib_memory.c:47 #2 0x55f21ff7390d in MmsValue_newStringWithSize /home/input0/Desktop/libiec61850/src/mms/iso_mms/common/mms_value.c:1583 #3 0x55f21ff73a80 in MmsValue_newVisibleStringWithSize /home/input0/Desktop/libiec61850/src/mms/iso_mms/common/mms_value.c:1600 #4 0x55f21ff72d0d in MmsValue_newDefaultValue /home/input0/Desktop/libiec61850/src/mms/iso_mms/common/mms_value.c:1457 #5 0x55f21ff72203 in MmsValue_newStructure /home/input0/Desktop/libiec61850/src/mms/iso_mms/common/mms_value.c:1391 #6 0x55f21ffafcf7 in LIBIEC61850_SV_createSVControlBlocks /home/input0/Desktop/libiec61850/src/iec61850/server/mms_mapping/mms_sv.c:428 #7 0x55f21ff8df69 in createNamedVariableFromLogicalNode /home/input0/Desktop/libiec61850/src/iec61850/server/mms_mapping/mms_mapping.c:1090 #8 0x55f21ff8ea2f in createMmsDomainFromIedDevice /home/input0/Desktop/libiec61850/src/iec61850/server/mms_mapping/mms_mapping.c:1193 #9 0x55f21ff8ec8d in createMmsDataModel /home/input0/Desktop/libiec61850/src/iec61850/server/mms_mapping/mms_mapping.c:1215 #10 0x55f21ff8f2ef in createMmsModelFromIedModel /home/input0/Desktop/libiec61850/src/iec61850/server/mms_mapping/mms_mapping.c:1298 #11 0x55f21ff8f5a8 in MmsMapping_create /home/input0/Desktop/libiec61850/src/iec61850/server/mms_mapping/mms_mapping.c:1344 #12 0x55f21ff7a565 in IedServer_createWithConfig /home/input0/Desktop/libiec61850/src/iec61850/server/impl/ied_server.c:430 #13 0x55f21ff7abcb in IedServer_create /home/input0/Desktop/libiec61850/src/iec61850/server/impl/ied_server.c:483 #14 0x55f21ff66cf7 in main /home/input0/Desktop/libiec61850/examples/iec61850_9_2_LE_example/iec61850_9_2_LE_example.c:119 #15 0x7fd6691c8b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) Direct leak of 216 byte(s) in 17 object(s) allocated from: #0 0x7fd669c33d38 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded38) #1 0x55f220071cb5 in Memory_calloc /home/input0/Desktop/libiec61850/hal/memory/lib_memory.c:59 #2 0x55f21ff72045 in MmsValue_newStructure /home/input0/Desktop/libiec61850/src/mms/iso_mms/common/mms_value.c:1386 #3 0x55f21ff72ecd in MmsValue_newDefaultValue /home/input0/Desktop/libiec61850/src/mms/iso_mms/common/mms_value.c:1479 #4 0x55f21ff72203 in MmsValue_newStructure /home/input0/Desktop/libiec61850/src/mms/iso_mms/common/mms_value.c:1391 #5 0x55f21ff72ecd in MmsValue_newDefaultValue /home/input0/Desktop/libiec61850/src/mms/iso_mms/common/mms_value.c:1479 #6 0x55f21ff791b4 in createMmsServerCache /home/input0/Desktop/libiec61850/src/iec61850/server/impl/ied_server.c:207 #7 0x55f21ff7aa4d in IedServer_createWithConfig /home/input0/Desktop/libiec61850/src/iec61850/server/impl/ied_server.c:453 #8 0x55f21ff7abcb in IedServer_create /home/input0/Desktop/libiec61850/src/iec61850/server/impl/ied_server.c:483 #9 0x55f21ff66cf7 in main /home/input0/Desktop/libiec61850/examples/iec61850_9_2_LE_example/iec61850_9_2_LE_example.c:119 #10 0x7fd6691c8b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) ..... Later CVE-2019-6138 was assigned to this issue. Thank you @mishradhiraj_
Current thread:
- Memory leak in libiec61850 Dhiraj Mishra (Jan 11)