Use of uninitialized value in PubSub decode message
Description
For reference (link is subject to login) https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=49819
Reproducer: clusterfuzz-testcase-minimized-sub_fuzzer-6194281487925248
The memory sanitizer detects a use of an uninitialized variable in Decode_Message_V1
:
==13==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0x53f5bd in SOPC_Sub_GetReader /src/S2OPC/src/PubSub/subscriber/sopc_reader_layer.c:172:44
#1 0x53775c in Decode_Message_V1 /src/S2OPC/src/PubSub/network/sopc_network_layer.c:1284:29
#2 0x53775c in SOPC_UADP_NetworkMessage_Decode /src/S2OPC/src/PubSub/network/sopc_network_layer.c:1470:22
#3 0x527fe3 in LLVMFuzzerTestOneInput /src/S2OPC/tests/PubSub/fuzzing/fuzz_sub.c:157:41
#4 0x455133 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
#5 0x440dc2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
#6 0x44660c in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
#7 0x46f202 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#8 0x7f4dceb0d082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
#9 0x41f5ed in _start (/out/sub_fuzzer+0x41f5ed)
Analysis
writer_id
in the following for-loop in Decode_Message_V1
is uninitialized before its use in case there is nothing to read anymore in the buffer:
for (int i = 0; i < msg_count && SOPC_STATUS_OK == status; i++)
{
SOPC_Dataset_LL_DataSetMessage* dsm = SOPC_Dataset_LL_NetworkMessage_Get_DataSetMsg_At(nm, i);
uint16_t writer_id;
status = SOPC_UInt16_Read(&writer_id, buffer, 0);
check_status_and_set_default(status, SOPC_UADP_NetworkMessage_Error_Read_Short_Failed);
/* [...] */
dsmReaders[i] = readerConf->callbacks.pGetReader_Func(group, conf, writer_id, (uint8_t) i);
TODO
- initialize the value,
- do not call the
readerConf->callbacks.pGetReader_Func
when status is not OK, - check that there are no similar cases in this file.
NOTE: the mention Credit to OSS-Fuzz
should appear in the commits titles or textes