oss-sec mailing list archives

Memory leak in libiec61850 protocol

From: Dhiraj Mishra <mishra.dhiraj95 () gmail com>
Date: Fri, 11 Jan 2019 23:43:46 +0530
Hi List,

## Summary:
An issue has been found in libIEC61850 v1.3.1. Memory_malloc in
hal/memory/lib_memory.c has a memory leak when called from
Asn1PrimitiveValue_create in mms/asn1/asn1_ber_primitive_value.c, as
demonstrated by goose_publisher_example.c and iec61850_9_2_LE_example.c.

## Snip code from goose_publisher_example.c#L30 :
    LinkedList_add(dataSetValues, MmsValue_newIntegerFromInt32(1234));
    LinkedList_add(dataSetValues, MmsValue_newBinaryTime(false));
    LinkedList_add(dataSetValues, MmsValue_newIntegerFromInt32(5678));

## Memory leak:

==1276==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 10 byte(s) in 1 object(s) allocated from:
    #0 0x7f98bdabdb50 in __interceptor_malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
    #1 0x55c2071bac8b in Memory_malloc
/home/input0/Desktop/libiec61850/hal/memory/lib_memory.c:47
    #2 0x55c2071abca3 in Asn1PrimitiveValue_create
/home/input0/Desktop/libiec61850/src/mms/asn1/asn1_ber_primitive_value.c:31
    #3 0x55c2071ac49b in BerInteger_createInt32
/home/input0/Desktop/libiec61850/src/mms/asn1/ber_integer.c:49
    #4 0x55c2071ac8e3 in BerInteger_createFromInt32
/home/input0/Desktop/libiec61850/src/mms/asn1/ber_integer.c:97
    #5 0x55c2071a27e1 in MmsValue_newIntegerFromInt32
/home/input0/Desktop/libiec61850/src/mms/iso_mms/common/mms_value.c:827
    #6 0x55c20719c192 in main
/home/input0/Desktop/libiec61850/examples/goose_publisher/goose_publisher_example.c:30
    #7 0x7f98bd3f0b96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

Direct leak of 10 byte(s) in 1 object(s) allocated from:
    #0 0x7f98bdabdb50 in __interceptor_malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
    #1 0x55c2071bac8b in Memory_malloc
/home/input0/Desktop/libiec61850/hal/memory/lib_memory.c:47
    #2 0x55c2071abca3 in Asn1PrimitiveValue_create
/home/input0/Desktop/libiec61850/src/mms/asn1/asn1_ber_primitive_value.c:31
    #3 0x55c2071ac49b in BerInteger_createInt32
/home/input0/Desktop/libiec61850/src/mms/asn1/ber_integer.c:49
    #4 0x55c2071ac8e3 in BerInteger_createFromInt32
/home/input0/Desktop/libiec61850/src/mms/asn1/ber_integer.c:97
    #5 0x55c2071a27e1 in MmsValue_newIntegerFromInt32
/home/input0/Desktop/libiec61850/src/mms/iso_mms/common/mms_value.c:827
    #6 0x55c20719c1d0 in main
/home/input0/Desktop/libiec61850/examples/goose_publisher/goose_publisher_example.c:32
    #7 0x7f98bd3f0b96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

Direct leak of 5 byte(s) in 1 object(s) allocated from:
    #0 0x7f98bdabdd38 in __interceptor_calloc
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded38)
    #1 0x55c2071bacc4 in Memory_calloc
/home/input0/Desktop/libiec61850/hal/memory/lib_memory.c:59
    #2 0x55c2071abd39 in Asn1PrimitiveValue_create
/home/input0/Desktop/libiec61850/src/mms/asn1/asn1_ber_primitive_value.c:35
    #3 0x55c2071ac49b in BerInteger_createInt32
/home/input0/Desktop/libiec61850/src/mms/asn1/ber_integer.c:49
    #4 0x55c2071ac8e3 in BerInteger_createFromInt32
/home/input0/Desktop/libiec61850/src/mms/asn1/ber_integer.c:97
    #5 0x55c2071a27e1 in MmsValue_newIntegerFromInt32
/home/input0/Desktop/libiec61850/src/mms/iso_mms/common/mms_value.c:827
    #6 0x55c20719c1d0 in main
/home/input0/Desktop/libiec61850/examples/goose_publisher/goose_publisher_example.c:32
    #7 0x7f98bd3f0b96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

Direct leak of 5 byte(s) in 1 object(s) allocated from:
    #0 0x7f98bdabdd38 in __interceptor_calloc
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded38)
    #1 0x55c2071bacc4 in Memory_calloc
/home/input0/Desktop/libiec61850/hal/memory/lib_memory.c:59
    #2 0x55c2071abd39 in Asn1PrimitiveValue_create
/home/input0/Desktop/libiec61850/src/mms/asn1/asn1_ber_primitive_value.c:35
    #3 0x55c2071ac49b in BerInteger_createInt32
/home/input0/Desktop/libiec61850/src/mms/asn1/ber_integer.c:49
    #4 0x55c2071ac8e3 in BerInteger_createFromInt32
/home/input0/Desktop/libiec61850/src/mms/asn1/ber_integer.c:97
    #5 0x55c2071a27e1 in MmsValue_newIntegerFromInt32
/home/input0/Desktop/libiec61850/src/mms/iso_mms/common/mms_value.c:827
    #6 0x55c20719c192 in main
/home/input0/Desktop/libiec61850/examples/goose_publisher/goose_publisher_example.c:30
    #7 0x7f98bd3f0b96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

SUMMARY: AddressSanitizer: 30 byte(s) leaked in 4 allocation(s).

Later CVE-2019-6135 was assigned to this issue.


Thank you
@mishradhiraj_
Current thread:

Memory leak in libiec61850 protocol Dhiraj Mishra (Jan 11)