Project

General

Profile

Download (10.1 KB)

Bug #942 » trace.txt

Marco Eichelberg, 2020-08-21 11:15

 
D: $dcmtk: findscu v3.6.5 2019-10-28 $
D:
W: no data dictionary loaded, check environment variable: DCMDICTPATH
D: Request Parameters:
D: ====================== BEGIN A-ASSOCIATE-RQ =====================
D: Our Implementation Class UID: 1.2.276.0.7230010.3.0.3.6.5
D: Our Implementation Version Name: OFFIS_DCMTK_365
D: Their Implementation Class UID:
D: Their Implementation Version Name:
D: Application Context Name: 1.2.840.10008.3.1.1.1
D: Calling Application Name: FINDSCU
D: Called Application Name: ANY-SCP
D: Responding Application Name: ANY-SCP
D: Our Max PDU Receive Size: 16384
D: Their Max PDU Receive Size: 0
D: Presentation Contexts:
D: Context ID: 1 (Proposed)
D: Abstract Syntax: =FINDModalityWorklistInformationModel
D: Proposed SCP/SCU Role: Default
D: Proposed Transfer Syntax(es):
D: =LittleEndianExplicit
D: =BigEndianExplicit
D: =LittleEndianImplicit
D: Requested Extended Negotiation: none
D: Accepted Extended Negotiation: none
D: Requested User Identity Negotiation: none
D: User Identity Negotiation Response: none
D: ======================= END A-ASSOCIATE-RQ ======================
I: Requesting Association
T: DUL FSM Table: State: 1 Event: 0
T: DUL Event: A-ASSOCIATE request (local user)
T: DUL Action: AE 1 Transport Connect
T: Receiving data via select()
D: setting network send timeout to 60 seconds
D: setting network receive timeout to 60 seconds
T: checking whether environment variable TCP_BUFFER_LENGTH is set
T: environment variable TCP_BUFFER_LENGTH not set, using the system defaults
T: checking whether environment variable TCP_NODELAY is set
T: environment variable TCP_NODELAY not set, using the default value (0)
T: DUL FSM Table: State: 4 Event: 1
T: DUL Event: Transport conn confirmation (local)
T: DUL Action: AE 2 Send Associate RQ PDU
D: Constructing Associate RQ PDU
T: setting timeout for first PDU to be read to 1 seconds
T: Read PDU HEAD TCP: 02 f7 00 00 00 a4
T: Read PDU HEAD TCP: type: 02, length: 164 (a4)
T: DUL FSM Table: State: 5 Event: 2
T: DUL Event: A-ASSOCIATE-AC PDU (on transport)
T: DUL Action: AE 3 Associate Confirmation Accept
D: PDU Type: Associate Accept, PDU Length: 164 + 6 bytes PDU header
D: 02 f7 00 00 00 a4 b6 cd b6 b6 b6 20 01 00 00 00
D: d0 b6 b6 b6 b6 b6 b6 b6 00 80 b6 b6 b6 b6 b6 00
D: 06 b6 b6 80 00 b6 b6 b6 ff ff ff 00 00 00 00 00
D: 00 00 00 00 00 00 00 00 23 00 00 00 00 f7 00 00
D: 00 00 00 00 00 00 00 f2 4f 30 50 50 00 10 54 00
D: 00 04 00 00 00 80 54 00 00 04 00 00 00 00 10 00
D: 00 04 01 02 46 50 20 00 00 04 01 19 b6 5c 20 00
D: 00 04 01 00 46 50 50 00 00 10 54 00 00 04 00 00
D: 00 50 54 00 00 04 00 00 46 50 50 50 50 50 50 50
D: 50 50 50 50 50 50 50 50 50 50 50 50 50 50 50 50
D: 50 50 50 50 50 50 50 50 50 50
D: Parsing an A-ASSOCIATE PDU
T: PDU type: 2 (A-ASSOCIATE AC), PDU Length: 164
T: DICOM Protocol: b6cd
T: Called AP Title: ? 
T: Calling AP Title: ?????
T: Parsing remaining 96 bytes of A-ASSOCIATE PDU
T: Next item type: 50
T: Parsing user info field (50), Length: 16
T: Parsing remaining 16 bytes of User Information
T: Next item type: 54
T: Subitem parse: Type 54, Length 0004, Content: SOP Class: SCU: 0 SCP: 128
T: Parsing remaining 8 bytes of User Information
T: Next item type: 54
T: Subitem parse: Type 54, Length 0004, Content: SOP Class: SCU: 0 SCP: 0
T: Successfully parsed User Information
T: Parsing remaining 76 bytes of A-ASSOCIATE PDU
T: Next item type: 10
T: Subitem parse: Type 10, Length 0004, Content: FP
T: Successfully parsed Application Context
T: Parsing remaining 68 bytes of A-ASSOCIATE PDU
T: Next item type: 20
T: Parsing Presentation Context: (20), Length: 4
T: Presentation Context ID: 01
T: Successfully parsed Presentation Context
T: Parsing remaining 60 bytes of A-ASSOCIATE PDU
T: Next item type: 20
T: Parsing Presentation Context: (20), Length: 4
T: Presentation Context ID: 01
T: Successfully parsed Presentation Context
T: Parsing remaining 52 bytes of A-ASSOCIATE PDU
T: Next item type: 50
T: Parsing user info field (50), Length: 16
T: Parsing remaining 16 bytes of User Information
T: Next item type: 54
T: Subitem parse: Type 54, Length 0004, Content: SOP Class: SCU: 0 SCP: 80
T: Parsing remaining 8 bytes of User Information
T: Next item type: 54
=================================================================
==7400==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000002cc8 at pc 0x557c8b6eb510 bp 0x7ffc2463e120 sp 0x7ffc2463e110
READ of size 1 at 0x612000002cc8 thread T0
#0 0x557c8b6eb50f in OFStandard::my_strlcpy(char*, char const*, unsigned long) /media/sf_share/dicomfuzzing/dcmtk_debug_sanitizers/ofstd/libsrc/ofstd.cc:223
#1 0x557c8b0e1809 in OFStandard::strlcpy(char*, char const*, unsigned long) /media/sf_share/dicomfuzzing/dcmtk_debug_sanitizers/ofstd/include/dcmtk/ofstd/ofstd.h:117
#2 0x557c8b119cba in parseSCUSCPRole /media/sf_share/dicomfuzzing/dcmtk_debug_sanitizers/dcmnet/libsrc/dulparse.cc:739
#3 0x557c8b1157e5 in parseUserInfo /media/sf_share/dicomfuzzing/dcmtk_debug_sanitizers/dcmnet/libsrc/dulparse.cc:532
#4 0x557c8b10d164 in parseAssociate(unsigned char*, unsigned long, dul_associatepdu*) /media/sf_share/dicomfuzzing/dcmtk_debug_sanitizers/dcmnet/libsrc/dulparse.cc:247
#5 0x557c8b0e5f39 in AE_3_AssociateConfirmationAccept /media/sf_share/dicomfuzzing/dcmtk_debug_sanitizers/dcmnet/libsrc/dulfsm.cc:941
#6 0x557c8b0e49e6 in PRV_StateMachine(PRIVATE_NETWORKKEY**, PRIVATE_ASSOCIATIONKEY**, int, int, void*) /media/sf_share/dicomfuzzing/dcmtk_debug_sanitizers/dcmnet/libsrc/dulfsm.cc:786
#7 0x557c8b0c4056 in DUL_RequestAssociation(void**, DUL_BLOCKOPTIONS, int, DUL_ASSOCIATESERVICEPARAMETERS*, void**, int) /media/sf_share/dicomfuzzing/dcmtk_debug_sanitizers/dcmnet/libsrc/dul.cc:600
#8 0x557c8b16c0c6 in ASC_requestAssociation(T_ASC_Network*, T_ASC_Parameters*, T_ASC_Association**, void**, unsigned long*, DUL_BLOCKOPTIONS, int) /media/sf_share/dicomfuzzing/dcmtk_debug_sanitizers/dcmnet/libsrc/assoc.cc:1908
#9 0x557c8b12e849 in DcmFindSCU::performQuery(char const*, unsigned int, char const*, char const*, char const*, E_TransferSyntax, T_DIMSE_BlockingMode, int, unsigned int, bool, bool, unsigned int, DcmFindSCUExtractMode, int, OFList<OFString>*, DcmFindSCUCallback*, OFList<OFString>*, char const*, char const*) /media/sf_share/dicomfuzzing/dcmtk_debug_sanitizers/dcmnet/libsrc/dfindscu.cc:282
#10 0x557c8b0b9925 in main /media/sf_share/dicomfuzzing/dcmtk_debug_sanitizers/dcmnet/apps/findscu.cc:425
#11 0x7f1f986e4b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#12 0x557c8b0aed19 in _start (/media/sf_share/dicomfuzzing/dcmtk_debug_sanitizers/bin/findscu+0x99ad19)

0x612000002cc8 is located 0 bytes to the right of 264-byte region [0x612000002bc0,0x612000002cc8)
allocated by thread T0 here:
#0 0x7f1f9a073b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
#1 0x557c8b1000c2 in readPDU /media/sf_share/dicomfuzzing/dcmtk_debug_sanitizers/dcmnet/libsrc/dulfsm.cc:3317
#2 0x557c8b0e5429 in AE_3_AssociateConfirmationAccept /media/sf_share/dicomfuzzing/dcmtk_debug_sanitizers/dcmnet/libsrc/dulfsm.cc:916
#3 0x557c8b0e49e6 in PRV_StateMachine(PRIVATE_NETWORKKEY**, PRIVATE_ASSOCIATIONKEY**, int, int, void*) /media/sf_share/dicomfuzzing/dcmtk_debug_sanitizers/dcmnet/libsrc/dulfsm.cc:786
#4 0x557c8b0c4056 in DUL_RequestAssociation(void**, DUL_BLOCKOPTIONS, int, DUL_ASSOCIATESERVICEPARAMETERS*, void**, int) /media/sf_share/dicomfuzzing/dcmtk_debug_sanitizers/dcmnet/libsrc/dul.cc:600
#5 0x557c8b16c0c6 in ASC_requestAssociation(T_ASC_Network*, T_ASC_Parameters*, T_ASC_Association**, void**, unsigned long*, DUL_BLOCKOPTIONS, int) /media/sf_share/dicomfuzzing/dcmtk_debug_sanitizers/dcmnet/libsrc/assoc.cc:1908
#6 0x557c8b12e849 in DcmFindSCU::performQuery(char const*, unsigned int, char const*, char const*, char const*, E_TransferSyntax, T_DIMSE_BlockingMode, int, unsigned int, bool, bool, unsigned int, DcmFindSCUExtractMode, int, OFList<OFString>*, DcmFindSCUCallback*, OFList<OFString>*, char const*, char const*) /media/sf_share/dicomfuzzing/dcmtk_debug_sanitizers/dcmnet/libsrc/dfindscu.cc:282
#7 0x557c8b0b9925 in main /media/sf_share/dicomfuzzing/dcmtk_debug_sanitizers/dcmnet/apps/findscu.cc:425
#8 0x7f1f986e4b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

SUMMARY: AddressSanitizer: heap-buffer-overflow /media/sf_share/dicomfuzzing/dcmtk_debug_sanitizers/ofstd/libsrc/ofstd.cc:223 in OFStandard::my_strlcpy(char*, char const*, unsigned long)
Shadow bytes around the buggy address:
0x0c247fff8540: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c247fff8550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c247fff8560: 00 00 00 00 00 00 00 00 00 00 00 00 07 fa fa fa
0x0c247fff8570: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c247fff8580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c247fff8590: 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa
0x0c247fff85a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff85b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff85c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff85d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff85e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==7400==ABORTING

(3-3/3)