Segmentation Fault in S7Partner Destructor (pthread_cond_destroy) When Fuzzing snap7-rs Public API

### Description:
While fuzzing all public APIs of the snap7-rs crate using afl.rs, I discovered a critical memory safety issue. Specifically, the destructor of the S7Partner object triggers a segmentation fault during cleanup, caused by a crash in pthread_cond_destroy within the native C++ destructor chain.

### ASan Output:
The following AddressSanitizer output demonstrates the crash:
![asan crash information](https://foruda.gitee.com/images/1748525184674209655/d7c4f9cb_8465782.png "Snipaste_2025-05-29_21-24-44.png")

### Driver Program:
Here is the driver program used to reproduce the issue:

```
extern crate snap7_rs;
fn _to_u8(data:&[u8], index:usize)->u8 {
    data[index]
}

fn _to_i8(data:&[u8], index:usize)->i8 {    
    data[index] as i8
}

fn _to_i16(data:&[u8], index:usize)->i16 {
    let data0 = _to_i8(data, index) as i16;
    let data1 = _to_i8(data, index+1) as i16;
    data0 << 8 | data1
}

fn _to_str(data:&[u8], start_index: usize, end_index: usize)->&str {
    let data_slice = &data[start_index..end_index];
    use std::str;
    match str::from_utf8(data_slice) {
        Ok(s)=>s,
        Err(_)=>{
            use std::process;
            process::exit(0);
        }
    }
}

fn _to_i32(data:&[u8], index:usize)->i32 {
    let data0 = _to_i16(data, index) as i32;
    let data1 = _to_i16(data, index+2) as i32;
    data0 << 16 | data1
}

fn _to_u16(data:&[u8], index:usize)->u16 {
    let data0 = _to_u8(data, index) as u16;
    let data1 = _to_u8(data, index+1) as u16;
    data0 << 8 | data1
}

fn test_function4(_param0: i32 ,_param1: &str ,_param2: &str ,_param3: u16 ,_param4: u16) {
    unsafe {
        let _local0 = snap7_rs::S7Partner::create(_param0);
        snap7_rs::S7Partner::start_to(&(_local0) ,_param1 ,_param2 ,_param3 ,_param4);
        snap7_rs::S7Partner::stop(&(_local0));
    }
}

fn _read_data()-> Vec<u8> {
    use std::env;
    use std::process::exit;
    let args:Vec<String> = env::args().collect();
    if args.len() < 2 {
        println!("No crash filename provided");
        exit(-1);
    }
    use std::path::PathBuf;
    let crash_file_name = &args[1];
    let crash_path = PathBuf::from(crash_file_name);
    if !crash_path.is_file() {
        println!("Not a valid crash file");
        exit(-1);
    }
    use std::fs;
    let data =  fs::read(crash_path).unwrap();
    data
}

fn main() {
    let _content = _read_data();
    let data = &_content;
    println!("data = {:?}", data);
    println!("data len = {:?}", data.len());
    //actual body emit
    if data.len() < 10 {return;}
    let dynamic_length = (data.len() - 8) / 2;
    let _param0 = _to_i32(data, 0);
    let _param1 = _to_str(data, 8 + 0 * dynamic_length, 8 + 1 * dynamic_length);
    let _param2 = _to_str(data, 8 + 1 * dynamic_length, data.len());
    let _param3 = _to_u16(data, 4);
    let _param4 = _to_u16(data, 6);
    test_function4(_param0 ,_param1 ,_param2 ,_param3 ,_param4);

}
```
### Reproduction:
You can find the replay files, including the driver program and PoC, at:[https://github.com/cuiwenhao123/replay_file/tree/master/snap7-rs/replay_snap1](https://github.com/cuiwenhao123/replay_file/tree/master/snap7-rs/replay_snap1)
### Build and Run Instructions:
To compile:
`RUSTFLAGS="-Zsanitizer=address" CFLAGS="-fsanitize=address -g -O1 -fno-omit-frame-pointer" CXXFLAGS="-fsanitize=address -g -O1 -fno-omit-frame-pointer" LLVM_CONFIG="/usr/lib/llvm-15/bin/llvm-config" CC="clang-15" CXX="clang++-15" cargo +nightly-2022-09-15 build`

To run:
`RUST_BACKTRACE=1 ASAN_SYMBOLIZER_PATH=/usr/lib/llvm-15/bin/llvm-symbolizer ./replay_snap1 ../../crash/crash_input`

(Please adjust LLVM_CONFIG, CC, CXX, and ASAN_SYMBOLIZER_PATH to match your system.)

### Request:
Please help confirm whether this is a genuine bug that needs to be fixed. Thank you!

gmg137/snap7-rs

内容风险标识

评论 (0)

gmg137/snap7-rs .gitee-modal { width: 500px !important; }

内容风险标识