Heap buffer overflow in S7Client::as_ct_write due to FFI pointer misuse and size mismatch

AddressSanitizer detected a critical heap-buffer-overflow vulnerability in `snap7_rs::client::S7Client::as_ct_write` during fuzz testing. The issue stems from improper FFI pointer handling where Rust's fat pointer is incorrectly cast to `void*`, combined with a lack of validation between the size parameter and the actual buffer length.

replay_file:
```Rust
extern crate snap7_rs;
use std::ffi::{CString, CStr};
fn _to_i32(data:&[u8], index:usize)->i32 {
    let data0 = _to_i16(data, index) as i32;
    let data1 = _to_i16(data, index+2) as i32;
    data0 << 16 | data1
}

fn _to_mut_slice<T: Copy>(data:&[u8], start_index: usize, end_index: usize)-> Vec<T> {
    let data_slice = &data[start_index..end_index];
    let mut vec = Vec::new();
    let (_, shorts, _) = unsafe {data_slice.align_to::<T>()};
    vec.extend_from_slice(shorts);
    vec
}

fn _to_i16(data:&[u8], index:usize)->i16 {
    let data0 = _to_i8(data, index) as i16;
    let data1 = _to_i8(data, index+1) as i16;
    data0 << 8 | data1
}

fn _to_i8(data:&[u8], index:usize)->i8 {    
    data[index] as i8
}

fn test_function11(_param0: i32 ,_param1: &mut [u8] ,_param2: i32 ,_param3: i32 ,_param4: i32 ,_param5: &mut [u8]) {
    unsafe {
        let _local0 = snap7_rs::S7Client::create();
        snap7_rs::S7Client::as_download(&(_local0) ,_param0 ,_param1 ,_param2);
        snap7_rs::S7Client::as_ct_write(&(_local0) ,_param3 ,_param4 ,_param5);
    }
}

fn _read_data()-> Vec<u8> {
    use std::env;
    use std::process::exit;
    let args:Vec<String> = env::args().collect();
    if args.len() < 2 {
        println!("No crash filename provided");
        exit(-1);
    }
    use std::path::PathBuf;
    let crash_file_name = &args[1];
    let crash_path = PathBuf::from(crash_file_name);
    if !crash_path.is_file() {
        println!("Not a valid crash file");
        exit(-1);
    }
    use std::fs;
    let data =  fs::read(crash_path).unwrap();
    data
}

fn main() {
    let _content = _read_data();
    let data = &_content;
    println!("data = {:?}", data);
    println!("data len = {:?}", data.len());
    //actual body emit
    if data.len() < 18 {return;}
    let dynamic_length = (data.len() - 16) / 2;
    let _param0 = _to_i32(data, 0);
    let mut vec1 = _to_mut_slice::<u8>(data, 16 + 0 * dynamic_length, 16 + 1 * dynamic_length);
    let _param1 = vec1.as_mut_slice();
    let _param2 = _to_i32(data, 4);
    let _param3 = _to_i32(data, 8);
    let _param4 = _to_i32(data, 12);
    let mut vec5 = _to_mut_slice::<u8>(data, 16 + 1 * dynamic_length, data.len());
    let _param5 = vec5.as_mut_slice();
    test_function11(_param0 ,_param1 ,_param2 ,_param3 ,_param4 ,_param5);

}
```

Crash Details:
Input that triggered the crash:

```
data = [240, 255, 138, 255, 255, 248, 240, 241, 240, 240, 240, 100, 0, 0, 0, 112, 240, 222, 50]
data len = 19
```
AddressSanitizer Report:

```
==1762733==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7be7617e0038
READ of size 224 at 0x7be7617e0038 thread T0

Stack trace:
    #0 __asan_memcpy
    #1 TSnap7Client::AsWriteArea(int, int, int, int, int, void*) 
       at /Rust-Lib-Testing/tests/snap7-rs/native/s7_client.cpp:189:9
    #2 TSnap7Client::AsCTWrite(int, int, void*) 
       at /Rust-Lib-Testing/tests/snap7-rs/native/s7_client.cpp:413:12
    #3 snap7_rs::client::S7Client::as_ct_write 
       at /Rust-Lib-Testing/tests/snap7-rs/src/client.rs:2396:13
    #4 replay_snap7_rs11::test_function11 
       at replay_snap7_rs11/src/main.rs:32:9
```

gmg137/snap7-rs

内容风险标识

评论 (0)

gmg137/snap7-rs .gitee-modal { width: 500px !important; }

内容风险标识