Heap buffer overflow in S7Client::download due to unchecked size parameter

AddressSanitizer detected a critical heap-buffer-overflow in snap7_rs::client::S7Client::download. The C++ implementation performs an unchecked memcpy using a user-controlled size parameter that can exceed the actual buffer length, combined with improper fat pointer casting in the FFI layer.

input:

```
data = [71, 71, 71, 71, 119, 71, 71, 71, 71, 71, 71, 71, 71, 71, 71, 71, 71, 2, 0]
data len = 19
```
ASan Report:

```
==1780427==ERROR: AddressSanitizer: heap-buffer-overflow
READ of size 2001160007 at 0x7c1736de001b

Stack trace:
    #0 __asan_memcpy
    #1 TSnap7MicroClient::Download(int, void*, int) 
       at s7_micro_client.cpp:3017:9
    #2 snap7_rs::client::S7Client::download 
       at client.rs:1194:13
    #3 replay_snap7_rs27::test_function27 
       at main.rs:31:9
```

repaly_file:

```Rust
extern crate snap7_rs;
use std::ffi::{CString, CStr};
fn _to_i32(data:&[u8], index:usize)->i32 {
    let data0 = _to_i16(data, index) as i32;
    let data1 = _to_i16(data, index+2) as i32;
    data0 << 16 | data1
}

fn _to_mut_slice<T: Copy>(data:&[u8], start_index: usize, end_index: usize)-> Vec<T> {
    let data_slice = &data[start_index..end_index];
    let mut vec = Vec::new();
    let (_, shorts, _) = unsafe {data_slice.align_to::<T>()};
    vec.extend_from_slice(shorts);
    vec
}

fn _to_i16(data:&[u8], index:usize)->i16 {
    let data0 = _to_i8(data, index) as i16;
    let data1 = _to_i8(data, index+1) as i16;
    data0 << 8 | data1
}

fn _to_i8(data:&[u8], index:usize)->i8 {    
    data[index] as i8
}

fn test_function27(_param0: i32 ,_param1: &mut [u8] ,_param2: i32) {
    unsafe {
        let _local0 = snap7_rs::S7Client::create();
        snap7_rs::S7Client::download(&(_local0) ,_param0 ,_param1 ,_param2);
    }
}

fn _read_data()-> Vec<u8> {
    use std::env;
    use std::process::exit;
    let args:Vec<String> = env::args().collect();
    if args.len() < 2 {
        println!("No crash filename provided");
        exit(-1);
    }
    use std::path::PathBuf;
    let crash_file_name = &args[1];
    let crash_path = PathBuf::from(crash_file_name);
    if !crash_path.is_file() {
        println!("Not a valid crash file");
        exit(-1);
    }
    use std::fs;
    let data =  fs::read(crash_path).unwrap();
    data
}

fn main() {
    let _content = _read_data();
    let data = &_content;
    println!("data = {:?}", data);
    println!("data len = {:?}", data.len());
    //actual body emit
    if data.len() < 9 {return;}
    let dynamic_length = (data.len() - 8) / 1;
    let _param0 = _to_i32(data, 0);
    let mut vec1 = _to_mut_slice::<u8>(data, 8 + 0 * dynamic_length, data.len());
    let _param1 = vec1.as_mut_slice();
    let _param2 = _to_i32(data, 4);
    test_function27(_param0 ,_param1 ,_param2);

}
```

gmg137/snap7-rs

内容风险标识

评论 (0)

gmg137/snap7-rs .gitee-modal { width: 500px !important; }

内容风险标识