Shadowsocks-libev: Mishandling of json configuration file could lead to Null Pointer Dereference

Created on 16 Oct 2017  ·  3Comments  ·  Source: shadowsocks/shadowsocks-libev

What version of shadowsocks-libev are you using?

shadowsocks-libev-3.1.0

What operating system are you using?

Ubuntu 16.04 64 bit

What did you do?

In parsing json configuration file, two of the properties ("mode", "plugin") do not perform null checking before invoking strlen,

https://github.com/shadowsocks/shadowsocks-libev/blob/c67d275803dc6ea22c558d06b1f7ba9f94cd8de3/src/jconf.c#L248-L253

feeding null json value to "mode" or "plugin" property will trigger process crash.

PoC:

(py3) ➜  src   ./ss-server -c config.json
[1]    28610 segmentation fault (core dumped)  ./ss-server -c config.json
(py3) ➜  src   cat config.json
{
    "server":"my_server_ip",
    "server_port":8388,
    "local_address": "127.0.0.1",
    "local_port":1080,
    "password":"mypassword",
    "timeout":300,
    "method":"aes-256-cfb",
    "fast_open": false,
    "plugin": null
}

What did you expect to see?

What did you see instead?

What is your config in detail (with all sensitive info masked)?

Regards,
Alex, SourceBrella Inc.

picture viennadd

Most helpful comment

Cool! Thanks for reporting this!

picture madeye on 16 Oct 2017
🎉2

All 3 comments

Cool! Thanks for reporting this!

madeye picture madeye on 16 Oct 2017
🎉2

@madeye the "mode" property shares the similar issue:
https://github.com/shadowsocks/shadowsocks-libev/blob/b3f3b58a1d33da73f42420e1d4ec904beb5a9761/src/jconf.c#L295-L300

viennadd picture viennadd on 16 Oct 2017

I just notice that it's part of this paper now: http://www.cs.ust.hk/~charlesz/pinpoint.pdf

Great work!

madeye picture madeye on 15 Jun 2018
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

HenryHo2006 picture HenryHo2006  ·  3Comments
blackgear picture blackgear  ·  3Comments
msdurex picture msdurex  ·  3Comments
d0u9 picture d0u9  ·  4Comments
tony1016 picture tony1016  ·  3Comments