Skip Menu |

This queue is for tickets about the Net-Arping CPAN distribution.

Report information
The Basics
Id: 18009
Status: resolved
Priority: 0/
Queue: Net-Arping
People
Owner: RADEK [...] cpan.org
Requestors: altblue [...] n0i.net
Cc:
AdminCc:
Bug Information
Severity: Critical
Broken in: 0.02
Fixed in: 0.03

History Show all quoted text
  Mon Mar 06 08:48:28 2006 Guest - Ticket created
Subject: buffer overflow detected
root@nop:~# perl -MNet::Arping -wle 'print Net::Arping->new->arping(shift)' 192.168.1.1 *** buffer overflow detected ***: perl terminated ======= Backtrace: ========= /lib/libc.so.6(__chk_fail+0x41)[0x402cf8a5] /lib/libc.so.6(__vsprintf_chk+0x0)[0x402cf128] /lib/libc.so.6(_IO_default_xsputn+0x9c)[0x402547e8] /lib/libc.so.6(_IO_vfprintf+0x93e)[0x4022ea37] /lib/libc.so.6(__vsprintf_chk+0xa1)[0x402cf1c9] /lib/libc.so.6(__sprintf_chk+0x30)[0x402cf11c] /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/auto/Net/Arping/Arping.so[0x4014762a] /usr/lib/libpcap.so.0.9.4[0x4055f6d7] /usr/lib/libpcap.so.0.9.4(pcap_loop+0x7b)[0x4056064b] /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/auto/Net/Arping/Arping.so(XS_Net__Arping_send_arp+0x701)[0x401473c9] /usr/lib/perl5/5.8.8/i386-linux-thread-multi/CORE/libperl.so(Perl_pp_entersub+0x409)[0x400a1ef2] /usr/lib/perl5/5.8.8/i386-linux-thread-multi/CORE/libperl.so(Perl_runops_standard+0x1f)[0x4009b697] /usr/lib/perl5/5.8.8/i386-linux-thread-multi/CORE/libperl.so(perl_run+0x2ed)[0x4004496a] perl(main+0x135)[0x8049265] /lib/libc.so.6(__libc_start_main+0xdc)[0x402097e4] perl[0x80490b1] After applying the attached patch: root@nop:~# perl -MNet::Arping -wle 'print Net::Arping->new->arping(shift)' 192.168.1.1 000f99887766 distro: 0.02 perl: 5.8.8 libpcap: 0.9.4 os: linux, 2.6.15, x86
Subject: perl-Net-Arping-0.02-overflow.patch
--- Arping.xs.orig 2002-08-09 14:05:07.000000000 +0300 +++ Arping.xs 2006-03-06 15:25:52.000000000 +0200 @@ -89,10 +89,10 @@ for (i = 0; i < harp->ar_hln-1;i++) { - sprintf(tt,"%.2x:", *cp++); + snprintf(tt,3,"%.2x:", *cp++); strcat(ttt,tt); } - sprintf(tt,"%.2x", *cp++); + snprintf(tt,3,"%.2x", *cp++); strcat(ttt,tt); longjmp(Env, 1); }
  Sun Nov 02 11:36:18 2008 RADEK [...] cpan.org - Correspondence added
Fixed in 0.03. snprintf() includes the trailing \0 when counting characters, so the buffer had to be extended and the actual call is "snprintf( ..., 4, ...)".
  Sun Nov 02 11:36:20 2008 The RT System itself - Status changed from 'new' to 'open'
  Mon Nov 03 07:08:42 2008 RADEK [...] cpan.org - Taken
  Mon Nov 03 07:09:29 2008 RADEK [...] cpan.org - Status changed from 'open' to 'resolved'
  Mon Nov 03 07:09:32 2008 RADEK [...] cpan.org - Fixed in 0.03 added