DCMTK

Short description of the bug¶

Certain network messages cause the vulnerable binary to perform out-of-bounds read access. The while statement in ofstd.cc:223
traverses the source buffer until it hits a null-byte string to calculate the length of the source buffer string. When copying
plain not null-terminated data with the my_strlcpy function in question, the source buffer is read past its bounds. The use of
my_strlcpy in the following bug prone call is copying data with a previously read length at dulparse.cc:739

OFStandard::strlcpy(role->SOPClassUID, (char*)buf, UIDLength+1 /* +1 for 0-byte */);

Steps to reproduce¶

Download and extract DCMTK 3.6.5

wget ftp://dicom.offis.de/pub/dicom/offis/software/dcmtk/dcmtk365/dcmtk-3.6.5.tar.gz
tar -xvzf dcmtk-3.6.5.tar.gz
cd dcmtk-3.6.5

Apply patch to avoid undefined behavior in test suite
Copy the file `arith.patch` into the `dcmtk-3.6.5` folder.

patch config/tests/arith.cc arith.patch

Build DCMTK

CFLAGS="-funroll-loops -fno-omit-frame-pointer -O0 -g -fsanitize=address,undefined -fsanitize-recover=address,undefined" CXXFLAGS="-funroll-loops -fno-omit-frame-pointer -O0 -g -fsanitize=address,undefined -fsanitize-recover=address,undefined" cmake -DCMAKE_BUILD_TYPE=DEBUG -DCMAKE_C_COMPILER=gcc -DCMAKE_CXX_COMPILER=g++
CC=gcc CXX=g++ CFLAGS="-funroll-loops -fno-omit-frame-pointer -O0 -g -fsanitize=address,undefined -fsanitize-recover=address,undefined" CXXFLAGS="-funroll-loops -fno-omit-frame-pointer -O0 -g -fsanitize=address,undefined -fsanitize-recover=address,undefined" LDFLAGS="-funroll-loops -fno-omit-frame-pointer -O0 -g -fsanitize=address,undefined -fsanitize-recover=address,undefined" nice -n 19 make -j$(nproc)

Serve network input via `netcat-openbsd`

nc -Nl 12345 < input_vector

Create an empty input query

touch empty

Execute findscu with empty input

ASAN_OPTIONS=detect_leaks=0 bin/findscu --cancel 1 -to 1 -td 1 -ta 1 -ll trace localhost 12345 empty

Reported 2020-08-20 by Matthias Gierlings <matthias.gierlings@ruhr-uni-bochum.de>.