Fix ASAN exposed heap-use-after-free

Summary: This code very obviously wrote past the end of the buffer when the length was 1. Furthermore, it was just downright broken for all values. The author obviously meant to type * instead of +. I took the time to verify that the algorithm is actually correct, while I was working on this. My proof is in the test plan.

Reviewed By: yfeldblum, meyering

Differential Revision: D3603255

fbshipit-source-id: 5f2a0011ff5401a70ba03993eab6e53e29d87c1c

diff --git a/folly/detail/IPAddressSource.h b/folly/detail/IPAddressSource.h
index e8a181109001fd4c95e65adfffe8568ab84e666d..b4ea3dfdc581c39dd46b7eaca59921cb58bf6b8c 100644 (file)
--- a/folly/detail/IPAddressSource.h
+++ b/folly/detail/IPAddressSource.h
@@ -133,7 +133,7 @@ struct Bytes {
     for (std::size_t i = 0; i < len; i++) {
       const unsigned char c = src[i];
       out[i * 2 + 0] = lut[c >> 4];
-      out[i + 2 + 1] = lut[c & 15];
+      out[i * 2 + 1] = lut[c & 15];
     }
     return out;
   }

diff --git a/folly/test/IPAddressTest.cpp b/folly/test/IPAddressTest.cpp
index a8b5e752e84e08756c429cd58c635d33299ac51c..5097eafa646e04bfa7754ccc6eb92c90cda0561c 100644 (file)
--- a/folly/test/IPAddressTest.cpp
+++ b/folly/test/IPAddressTest.cpp
@@ -421,6 +421,14 @@ TEST_P(IPAddressCtorBinaryTest, InvalidBinary) {
                IPAddressFormatException);
 }
 
+TEST(IPAddressSource, ToHex) {
+  vector<std::uint8_t> data = {{0xff, 0x20, 0x45}};
+  EXPECT_EQ(detail::Bytes::toHex(data.data(), 0), "");
+  EXPECT_EQ(detail::Bytes::toHex(data.data(), 1), "ff");
+  EXPECT_EQ(detail::Bytes::toHex(data.data(), 2), "ff20");
+  EXPECT_EQ(detail::Bytes::toHex(data.data(), 3), "ff2045");
+}
+
 // Test toFullyQualified()
 TEST(IPAddress, ToFullyQualifiedFb) {
   IPAddress ip("2620:0:1cfe:face:b00c::3");