heap-use-after-free read_line() lib/parser.c:2652:10 #2634
Description
Describe the bug
When I wanna give my file to keepalived I got address sanitizer error.
To Reproduce
You should build the project like:
export AR=llvm-ar
export RANLIB=llvm-ranlib
export CC=clang
export CXX=clang++
export CFLAGS="-fsanitize=address"
export CXXFLAGS="-fsanitize=address"
CC=$CC CXX=$CXX CFLAGS=$CFLAGS CXXFLAGS=$CXXFLAGS LDFLAGS=$LDFLAGS AR=$AR RANLIB=$RANLIB ./configure --disable-option-checking --disable-libipset-dynamic --disable-dynamic-linking --disable-libnl-dynamic --disable-systemd --disable-hardening --enable-debug --enable-profile --enable-dependency-tracking --enable-snmp --enable-sha1 --enable-snmp-rfcv2 --enable-snmp-rfcv3 --enable-dbus --enable-json --enable-bfd --enable-regex --host=x86_64
./keepalived/keepalived -f file1
Expected behavior
I wanna see any errors without address sanitizer errors.
Keepalived version
./keepalived/keepalived -v
Keepalived v2.3.4 (06/23,2025), git commit v2.3.4-2-g046b69b2
Copyright(C) 2001-2025 Alexandre Cassen, <acassen@gmail.com>
Built with kernel headers for Linux 5.4.255
Running on Linux 5.15.0-127-generic #astra1+ci4 SMP Fri Mar 7 15:34:27 MSK 2025
Distro: Astra Linux
configure options: --disable-option-checking --disable-libipset-dynamic --disable-dynamic-linking --disable-libnl-dynamic --disable-systemd --disable-hardening --enable-debug --enable-profile --enable-dependency-tracking --enable-snmp --enable-sha1 --enable-snmp-rfcv2 --enable-snmp-rfcv3 --enable-dbus --enable-json --enable-bfd --enable-regex --host=x86_64 host_alias=x86_64 CC=clang CFLAGS=-fsanitize=address LDFLAGS=
Config options: NFTABLES LVS REGEX REGEX_DEBUG VRRP VRRP_AUTH VRRP_VMAC JSON BFD OLD_CHKSUM_COMPAT SNMP_V3_FOR_V2 SNMP_VRRP SNMP_CHECKER SNMP_RFCV2 SNMP_RFCV3 DBUS IPROUTE_ETC_DIR=/etc/iproute2 IPROUTE_USR_DIR=/usr/share/iproute2 TIMER_CHECK FAULT_FLAGS_CHECK NETLINK_TIMERS SMTP_ALERT_DEBUG EPOLL_DEBUG EPOLL_THREAD_DUMP TSM_DEBUG VRRP_FD_DEBUG NETWORK_TIMESTAMP ASSERT PROFILING FILE_LOGGING LOG_FILE_APPEND RECVMSG_DEBUG EINTR_DEBUG SCRIPT_DEBUG TRACK_PROCESS_DEBUG PARSER_DEBUG CHECKSUM_DEBUG CHECKER_DEBUG SMTP_CONNECT_DEBUG DUMP_KEYWORDS INIT=systemd
System options: VSYSLOG MEMFD_CREATE IPV6_FREEBIND IPV6_MULTICAST_ALL IPV4_DEVCONF LIBNL3 RTA_ENCAP RTA_EXPIRES RTA_NEWDST RTA_PREF FRA_SUPPRESS_PREFIXLEN FRA_SUPPRESS_IFGROUP FRA_TUN_ID RTAX_CC_ALGO RTAX_QUICKACK RTEXT_FILTER_SKIP_STATS FRA_L3MDEV FRA_UID_RANGE RTAX_FASTOPEN_NO_COOKIE RTA_VIA FRA_PROTOCOL FRA_IP_PROTO FRA_SPORT_RANGE FRA_DPORT_RANGE RTA_TTL_PROPAGATE IFA_FLAGS F_OFD_SETLK LWTUNNEL_ENCAP_MPLS LWTUNNEL_ENCAP_ILA NET_LINUX_IF_H_COLLISION LIBIPVS_NETLINK IPVS_DEST_ATTR_ADDR_FAMILY IPVS_SYNCD_ATTRIBUTES IPVS_64BIT_STATS IPVS_TUN_TYPE IPVS_TUN_CSUM IPVS_TUN_GRE VRRP_IPVLAN IFLA_LINK_NETNSID GLOB_BRACE GLOB_ALTDIRFUNC INET6_ADDR_GEN_MODE VRF SO_MARK
Distro (please complete the following information):
- Name: Debian
- Version: 10.0
- Architecture: x86_64
Keepalived coredump
=================================================================
==32075==ERROR: AddressSanitizer: heap-use-after-free on address 0x503000004885 at pc 0x5d1127fdeabc bp 0x7ffe62d2c6b0 sp 0x7ffe62d2be78
READ of size 7 at 0x503000004885 thread T0
#0 0x5d1127fdeabb in strchr (/upstream/clearclang/keepalived/keepalived/keepalived+0xbaabb) (BuildId: c6f088966d6556de1fc2388d7930b214e0ece070)
#1 0x5d11281e850c in read_line /upstream/clearclang/keepalived/lib/parser.c:2652:10
#2 0x5d11281ee27b in process_stream /upstream/clearclang/keepalived/lib/parser.c:3062:9
#3 0x5d11281ec807 in init_data /upstream/clearclang/keepalived/lib/parser.c:3311:3
#4 0x5d11280a5b55 in read_config_file /upstream/clearclang/keepalived/keepalived/core/main.c:478:2
#5 0x5d11280a5b55 in keepalived_main /upstream/clearclang/keepalived/keepalived/core/main.c:2657:2
#6 0x7330d784909a in __libc_start_main /builds/AstraOS/buildsystem/tbs_build/glibc/glibc-2.28/csu/../csu/libc-start.c:308:16
#7 0x5d1127fc3549 in _start (/upstream/clearclang/keepalived/keepalived/keepalived+0x9f549) (BuildId: c6f088966d6556de1fc2388d7930b214e0ece070)
0x503000004885 is located 21 bytes inside of 28-byte region [0x503000004870,0x50300000488c)
freed by thread T0 here:
#0 0x5d11280612b6 in free (/upstream/clearclang/keepalived/keepalived/keepalived+0x13d2b6) (BuildId: c6f088966d6556de1fc2388d7930b214e0ece070)
#1 0x5d11281ea0d4 in check_definition /upstream/clearclang/keepalived/lib/parser.c:2154:3
#2 0x5d11281ea0d4 in read_line /upstream/clearclang/keepalived/lib/parser.c:2854:32
#3 0x5d11281ee27b in process_stream /upstream/clearclang/keepalived/lib/parser.c:3062:9
#4 0x5d11281ec807 in init_data /upstream/clearclang/keepalived/lib/parser.c:3311:3
#5 0x5d11280a5b55 in read_config_file /upstream/clearclang/keepalived/keepalived/core/main.c:478:2
#6 0x5d11280a5b55 in keepalived_main /upstream/clearclang/keepalived/keepalived/core/main.c:2657:2
#7 0x7330d784909a in __libc_start_main /builds/AstraOS/buildsystem/tbs_build/glibc/glibc-2.28/csu/../csu/libc-start.c:308:16
previously allocated by thread T0 here:
#0 0x5d112806193c in realloc (/upstream/clearclang/keepalived/keepalived/keepalived+0x13d93c) (BuildId: c6f088966d6556de1fc2388d7930b214e0ece070)
#1 0x5d11281e85ed in read_line /upstream/clearclang/keepalived/lib/parser.c:2807:17
#2 0x5d11281ee27b in process_stream /upstream/clearclang/keepalived/lib/parser.c:3062:9
#3 0x5d11281ec807 in init_data /upstream/clearclang/keepalived/lib/parser.c:3311:3
#4 0x5d11280a5b55 in read_config_file /upstream/clearclang/keepalived/keepalived/core/main.c:478:2
#5 0x5d11280a5b55 in keepalived_main /upstream/clearclang/keepalived/keepalived/core/main.c:2657:2
#6 0x7330d784909a in __libc_start_main /builds/AstraOS/buildsystem/tbs_build/glibc/glibc-2.28/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-use-after-free (/upstream/clearclang/keepalived/keepalived/keepalived+0xbaabb) (BuildId: c6f088966d6556de1fc2388d7930b214e0ece070) in strchr
Additional context
My file1 is attached into the issue.