[go: up one dir, main page]

Multiple call to SOPC_ClientHelper_Connect might lead to invalid memory access

Description

Unexpected multiple call to SOPC_ClientHelper_Connect with same config might lead to invalid memory access.

As indicated in SOPC_ClientHelper_Connect documentation a single connection can be obtained for a given secure connection configuration parameter secConnConfig. In case this function was called for an already established connection configuration prior to call SOPC_ClientHelper_Disconnect on the single connection already created, the memory context of the existing connection instance was freed.

Code version and environment identification

Introduced with the new client API in ec2e71a2 Present in d6287740

Steps to reproduce

  1. Create a connection with SOPC_ClientHelper_Connect for a given configuration cfg
  2. Send an important amount of requests to a server (e.g. 10 000)
  3. Quickly stops the server before end of requests treatment
  4. On disconnection callback SOPC_ClientConnectionEvent_Fct call trigger a new SOPC_ClientHelper_Connect on same cfg without prior call to SOPC_ClientHelper_Disconnect

Relevant logs and/or screenshots

Invalid memory access after second call to SOPC_ClientHelper_Connect:

> AddressSanitizer:DEADLYSIGNAL
=================================================================
==2057750==ERROR: AddressSanitizer: SEGV on unknown address 0x000700000913 (pc 0x6131b94f5860 bp 0x77a96e6f5b90 sp 0x77a96e6f5b70 T2)
==2057750==The signal is caused by a READ memory access.
    #0 0x6131b94f5860 in SOPC_Mutex_Lock S2OPC/src/Common/helpers_platform_dep/linux/p_sopc_threads.c:161
    #1 0x6131b948d23e in SOPC_StaMac_EventDispatcher S2OPC/src/ClientServer/frontend/client_wrapper/internal/state_machine.c:1529
    #2 0x6131b9484be2 in SOPC_ClientInternal_ToolkitEventCallback S2OPC/src/ClientServer/frontend/client_wrapper/libs2opc_client.c:493
    #3 0x6131b947fd23 in SOPC_Helper_ComEventCb S2OPC/src/ClientServer/frontend/common_wrapper/libs2opc_common_config.c:123
    #4 0x6131b94992ce in onComEvent S2OPC/src/ClientServer/api_toolkit/sopc_internal_app_dispatcher.c:131
    #5 0x6131b94faa82 in looper_loop S2OPC/src/Common/helpers/sopc_event_handler.c:108

Analysis

In case of SOPC_ClientHelper_Connect failure when connection already exists, the code always clears the connection whereas when it already exists it shall only return a failure status but it shall keep the connection unchanged.

Security impact

No security impact identified (misuse of API by application).

Possible fixes

Check if the connection was already existing in case of failure and do not clear the connection content in this case.

Edited by Vincent Monfort