D: $dcmtk: findscu v3.6.5 2019-10-28 $ D: W: no data dictionary loaded, check environment variable: DCMDICTPATH D: Request Parameters: D: ====================== BEGIN A-ASSOCIATE-RQ ===================== D: Our Implementation Class UID: 1.2.276.0.7230010.3.0.3.6.5 D: Our Implementation Version Name: OFFIS_DCMTK_365 D: Their Implementation Class UID: D: Their Implementation Version Name: D: Application Context Name: 1.2.840.10008.3.1.1.1 D: Calling Application Name: FINDSCU D: Called Application Name: ANY-SCP D: Responding Application Name: ANY-SCP D: Our Max PDU Receive Size: 16384 D: Their Max PDU Receive Size: 0 D: Presentation Contexts: D: Context ID: 1 (Proposed) D: Abstract Syntax: =FINDModalityWorklistInformationModel D: Proposed SCP/SCU Role: Default D: Proposed Transfer Syntax(es): D: =LittleEndianExplicit D: =BigEndianExplicit D: =LittleEndianImplicit D: Requested Extended Negotiation: none D: Accepted Extended Negotiation: none D: Requested User Identity Negotiation: none D: User Identity Negotiation Response: none D: ======================= END A-ASSOCIATE-RQ ====================== I: Requesting Association T: DUL FSM Table: State: 1 Event: 0 T: DUL Event: A-ASSOCIATE request (local user) T: DUL Action: AE 1 Transport Connect T: Receiving data via select() D: setting network send timeout to 60 seconds D: setting network receive timeout to 60 seconds T: checking whether environment variable TCP_BUFFER_LENGTH is set T: environment variable TCP_BUFFER_LENGTH not set, using the system defaults T: checking whether environment variable TCP_NODELAY is set T: environment variable TCP_NODELAY not set, using the default value (0) T: DUL FSM Table: State: 4 Event: 1 T: DUL Event: Transport conn confirmation (local) T: DUL Action: AE 2 Send Associate RQ PDU D: Constructing Associate RQ PDU T: setting timeout for first PDU to be read to 1 seconds T: Read PDU HEAD TCP: 02 f7 00 00 00 a4 T: Read PDU HEAD TCP: type: 02, length: 164 (a4) T: DUL FSM Table: State: 5 Event: 2 T: DUL Event: A-ASSOCIATE-AC PDU (on transport) T: DUL Action: AE 3 Associate Confirmation Accept D: PDU Type: Associate Accept, PDU Length: 164 + 6 bytes PDU header D: 02 f7 00 00 00 a4 b6 cd b6 b6 b6 20 01 00 00 00 D: d0 b6 b6 b6 b6 b6 b6 b6 00 80 b6 b6 b6 b6 b6 00 D: 06 b6 b6 80 00 b6 b6 b6 ff ff ff 00 00 00 00 00 D: 00 00 00 00 00 00 00 00 23 00 00 00 00 f7 00 00 D: 00 00 00 00 00 00 00 f2 4f 30 50 50 00 10 54 00 D: 00 04 00 00 00 80 54 00 00 04 00 00 00 00 10 00 D: 00 04 01 02 46 50 20 00 00 04 01 19 b6 5c 20 00 D: 00 04 01 00 46 50 50 00 00 10 54 00 00 04 00 00 D: 00 50 54 00 00 04 00 00 46 50 50 50 50 50 50 50 D: 50 50 50 50 50 50 50 50 50 50 50 50 50 50 50 50 D: 50 50 50 50 50 50 50 50 50 50 D: Parsing an A-ASSOCIATE PDU T: PDU type: 2 (A-ASSOCIATE AC), PDU Length: 164 T: DICOM Protocol: b6cd T: Called AP Title: ¶  T: Calling AP Title: ¶¶¶¶¶ T: Parsing remaining 96 bytes of A-ASSOCIATE PDU T: Next item type: 50 T: Parsing user info field (50), Length: 16 T: Parsing remaining 16 bytes of User Information T: Next item type: 54 T: Subitem parse: Type 54, Length 0004, Content: SOP Class: SCU: 0 SCP: 128 T: Parsing remaining 8 bytes of User Information T: Next item type: 54 T: Subitem parse: Type 54, Length 0004, Content: SOP Class: SCU: 0 SCP: 0 T: Successfully parsed User Information T: Parsing remaining 76 bytes of A-ASSOCIATE PDU T: Next item type: 10 T: Subitem parse: Type 10, Length 0004, Content: FP T: Successfully parsed Application Context T: Parsing remaining 68 bytes of A-ASSOCIATE PDU T: Next item type: 20 T: Parsing Presentation Context: (20), Length: 4 T: Presentation Context ID: 01 T: Successfully parsed Presentation Context T: Parsing remaining 60 bytes of A-ASSOCIATE PDU T: Next item type: 20 T: Parsing Presentation Context: (20), Length: 4 T: Presentation Context ID: 01 T: Successfully parsed Presentation Context T: Parsing remaining 52 bytes of A-ASSOCIATE PDU T: Next item type: 50 T: Parsing user info field (50), Length: 16 T: Parsing remaining 16 bytes of User Information T: Next item type: 54 T: Subitem parse: Type 54, Length 0004, Content: SOP Class: SCU: 0 SCP: 80 T: Parsing remaining 8 bytes of User Information T: Next item type: 54 ================================================================= ==7400==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000002cc8 at pc 0x557c8b6eb510 bp 0x7ffc2463e120 sp 0x7ffc2463e110 READ of size 1 at 0x612000002cc8 thread T0 #0 0x557c8b6eb50f in OFStandard::my_strlcpy(char*, char const*, unsigned long) /media/sf_share/dicomfuzzing/dcmtk_debug_sanitizers/ofstd/libsrc/ofstd.cc:223 #1 0x557c8b0e1809 in OFStandard::strlcpy(char*, char const*, unsigned long) /media/sf_share/dicomfuzzing/dcmtk_debug_sanitizers/ofstd/include/dcmtk/ofstd/ofstd.h:117 #2 0x557c8b119cba in parseSCUSCPRole /media/sf_share/dicomfuzzing/dcmtk_debug_sanitizers/dcmnet/libsrc/dulparse.cc:739 #3 0x557c8b1157e5 in parseUserInfo /media/sf_share/dicomfuzzing/dcmtk_debug_sanitizers/dcmnet/libsrc/dulparse.cc:532 #4 0x557c8b10d164 in parseAssociate(unsigned char*, unsigned long, dul_associatepdu*) /media/sf_share/dicomfuzzing/dcmtk_debug_sanitizers/dcmnet/libsrc/dulparse.cc:247 #5 0x557c8b0e5f39 in AE_3_AssociateConfirmationAccept /media/sf_share/dicomfuzzing/dcmtk_debug_sanitizers/dcmnet/libsrc/dulfsm.cc:941 #6 0x557c8b0e49e6 in PRV_StateMachine(PRIVATE_NETWORKKEY**, PRIVATE_ASSOCIATIONKEY**, int, int, void*) /media/sf_share/dicomfuzzing/dcmtk_debug_sanitizers/dcmnet/libsrc/dulfsm.cc:786 #7 0x557c8b0c4056 in DUL_RequestAssociation(void**, DUL_BLOCKOPTIONS, int, DUL_ASSOCIATESERVICEPARAMETERS*, void**, int) /media/sf_share/dicomfuzzing/dcmtk_debug_sanitizers/dcmnet/libsrc/dul.cc:600 #8 0x557c8b16c0c6 in ASC_requestAssociation(T_ASC_Network*, T_ASC_Parameters*, T_ASC_Association**, void**, unsigned long*, DUL_BLOCKOPTIONS, int) /media/sf_share/dicomfuzzing/dcmtk_debug_sanitizers/dcmnet/libsrc/assoc.cc:1908 #9 0x557c8b12e849 in DcmFindSCU::performQuery(char const*, unsigned int, char const*, char const*, char const*, E_TransferSyntax, T_DIMSE_BlockingMode, int, unsigned int, bool, bool, unsigned int, DcmFindSCUExtractMode, int, OFList*, DcmFindSCUCallback*, OFList*, char const*, char const*) /media/sf_share/dicomfuzzing/dcmtk_debug_sanitizers/dcmnet/libsrc/dfindscu.cc:282 #10 0x557c8b0b9925 in main /media/sf_share/dicomfuzzing/dcmtk_debug_sanitizers/dcmnet/apps/findscu.cc:425 #11 0x7f1f986e4b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #12 0x557c8b0aed19 in _start (/media/sf_share/dicomfuzzing/dcmtk_debug_sanitizers/bin/findscu+0x99ad19) 0x612000002cc8 is located 0 bytes to the right of 264-byte region [0x612000002bc0,0x612000002cc8) allocated by thread T0 here: #0 0x7f1f9a073b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40) #1 0x557c8b1000c2 in readPDU /media/sf_share/dicomfuzzing/dcmtk_debug_sanitizers/dcmnet/libsrc/dulfsm.cc:3317 #2 0x557c8b0e5429 in AE_3_AssociateConfirmationAccept /media/sf_share/dicomfuzzing/dcmtk_debug_sanitizers/dcmnet/libsrc/dulfsm.cc:916 #3 0x557c8b0e49e6 in PRV_StateMachine(PRIVATE_NETWORKKEY**, PRIVATE_ASSOCIATIONKEY**, int, int, void*) /media/sf_share/dicomfuzzing/dcmtk_debug_sanitizers/dcmnet/libsrc/dulfsm.cc:786 #4 0x557c8b0c4056 in DUL_RequestAssociation(void**, DUL_BLOCKOPTIONS, int, DUL_ASSOCIATESERVICEPARAMETERS*, void**, int) /media/sf_share/dicomfuzzing/dcmtk_debug_sanitizers/dcmnet/libsrc/dul.cc:600 #5 0x557c8b16c0c6 in ASC_requestAssociation(T_ASC_Network*, T_ASC_Parameters*, T_ASC_Association**, void**, unsigned long*, DUL_BLOCKOPTIONS, int) /media/sf_share/dicomfuzzing/dcmtk_debug_sanitizers/dcmnet/libsrc/assoc.cc:1908 #6 0x557c8b12e849 in DcmFindSCU::performQuery(char const*, unsigned int, char const*, char const*, char const*, E_TransferSyntax, T_DIMSE_BlockingMode, int, unsigned int, bool, bool, unsigned int, DcmFindSCUExtractMode, int, OFList*, DcmFindSCUCallback*, OFList*, char const*, char const*) /media/sf_share/dicomfuzzing/dcmtk_debug_sanitizers/dcmnet/libsrc/dfindscu.cc:282 #7 0x557c8b0b9925 in main /media/sf_share/dicomfuzzing/dcmtk_debug_sanitizers/dcmnet/apps/findscu.cc:425 #8 0x7f1f986e4b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) SUMMARY: AddressSanitizer: heap-buffer-overflow /media/sf_share/dicomfuzzing/dcmtk_debug_sanitizers/ofstd/libsrc/ofstd.cc:223 in OFStandard::my_strlcpy(char*, char const*, unsigned long) Shadow bytes around the buggy address: 0x0c247fff8540: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c247fff8550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c247fff8560: 00 00 00 00 00 00 00 00 00 00 00 00 07 fa fa fa 0x0c247fff8570: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c247fff8580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c247fff8590: 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa 0x0c247fff85a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c247fff85b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c247fff85c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c247fff85d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c247fff85e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==7400==ABORTING