Skip to content

[Bug] Protential heap-buffer-overflow crash in dlt-sortbytimestamp.c #792

New issue
New issue
Closed
#795
#807
Closed
[Bug] Protential heap-buffer-overflow crash in dlt-sortbytimestamp.c#792
#795
#807
Labels
bug
@ShangzhiXu

Description

@ShangzhiXu
ShangzhiXu
opened on Dec 18, 2025

Hi team! Thanks for your great work!
I think I found a critical vulnerability that leads to a Heap Buffer Overflow in the system.

It locates at the main function in src/console/dlt-sortbytimestamp.c.

PoC

First, we need to generate a valid DLT file to pass the initial file checks. You can use the following python script:

import struct

with open("poc.dlt", "wb") as f:
    for i in range(20):
        # Storage Header (DLT\x01 + Timestamp + ECU)
        f.write(b"DLT\x01" + struct.pack("<II", i, 0) + b"ECU1")
        # Standard Header (HTYP=0x00, MCNT, LEN=8)
        f.write(b"\x00" + struct.pack("B", i % 256) + struct.pack(">H", 8))
        # Payload
        f.write(b"PAYL")

Then, we run
./src/console/dlt-sortbytimestamp -b 2 -e 5 poc.dlt output.dlt

We can see the following crash (Heap Buffer Overflow):

=================================================================
==2832739==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x506000000068 at pc 0x5b2e0bbe06ad bp 0x7ffd42682b10 sp 0x7ffd42682b00
WRITE of size 4 at 0x506000000068 thread T0
    #0 0x5b2e0bbe06ac in main /mnt/data3/weisong/ACT/fuz/targets/dlt-daemon/src/console/dlt-sortbytimestamp.c:414
    #1 0x7a140b229d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #2 0x7a140b229e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #3 0x5b2e0bbe0764 in _start (/mnt/data3/weisong/ACT/fuz/targets/dlt-daemon/build-asan/src/console/dlt-sortbytimestamp+0x4764)
==2832739==ABORTING

Root Cause

  1. The memory size is calculated based on the count of messages in the selected range, at line 392-394
message_count = (uint32_t) (1 + end - begin);                                         // 1+5-2 = 4
timestamp_index = (TimestampIndex *) malloc(sizeof(TimestampIndex) * (message_count + 1) // allocated 5 items
  1. After iterating through the message range, the loop variable num holds the value end + 1 (line 405-414). This lead to the crash when indexing timestamp_index[num]
    for (num = begin; num <= end; num++) {
       ...
    }                                                                   // num = end + 1 = 6
    timestamp_index[num].num = timestamp_index[0].num;                                  // crash

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions