Skip Menu |

This queue is for tickets about the Net-ARP CPAN distribution.

Report information
The Basics
Id: 46298
Status: resolved
Worked: 5 min
Priority: 0/
Queue: Net-ARP
People
Owner: Nobody in particular
Requestors: franck.mail [...] dthconnex.com
Cc:
AdminCc:
Bug Information
Severity: Critical
Broken in: 1.0.4
Fixed in: 1.0.5
Attachments
buffer_overflows.patch
signature.asc

History Show all quoted text
  Fri May 22 07:02:03 2009 franck.mail [...] dthconnex.com - Ticket created
Hi, The module fails to build on Ubuntu Karmic due to a buffer overflow. I have enclosed a patch which solves the problem. This bug has been reported on Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=528675 Regards,
Subject: buffer_overflows.patch
Author: Franck Joncourt <franck.mail@dthconnex.com> Bugs: 528675 Description: fix buffer overflows due to an unsafe use of strcpy. + Define a constant, HEX_HW_ADDR_LEN, in arp.h to set the length of the hex representation of the hardware address. Its use with strncpy will prevent eventual overflows through the mac variable. + Make sure the device name provided by the user does not overwrite data in the ifreq structure when copied. The device name in an ifreq strcuture is IFNAMSIZ bytes long. --- libnet-arp-perl.orig/arp.h +++ libnet-arp-perl/arp.h @@ -42,6 +42,10 @@ #endif #define IP_ALEN 4 +/* Length of the hardware address in the standard hex-digits-and-colons + * notation (null terminated string) */ +#define HEX_HW_ADDR_LEN 18 + // ARP Header Struktur struct my_arphdr { u_short hw_type; // hardware type --- libnet-arp-perl.orig/get_mac_linux.c +++ libnet-arp-perl/get_mac_linux.c @@ -22,11 +22,13 @@ #include <stdio.h> #include <stdlib.h> #include <sys/ioctl.h> +#include <sys/types.h> #include <net/ethernet.h> #include <string.h> #include <stdlib.h> #include <stdio.h> #include <net/if.h> +#include "arp.h" int get_mac_linux(u_char *dev, char *mac) { @@ -35,16 +37,18 @@ struct sockaddr_in *addr; struct ether_addr ether; - if(strlen(mac) > 0) - strcpy(mac,"unknown"); - else + if (!strlen(mac) || !strlen(dev)) return -1; - if(strlen(dev) == 0) - return -1; - - strcpy(iface.ifr_name,dev); + /* Set hardware address as unknown */ + strncpy(mac,"unknown", HEX_HW_ADDR_LEN); + mac[HEX_HW_ADDR_LEN-1] = '\0'; + /* Copy device name into the ifreq strcture so that we can look for its + * hardware address through an ioctl request */ + strncpy(iface.ifr_name, dev, IFNAMSIZ); + iface.ifr_name[IFNAMSIZ-1] = '\0'; + // Open a socket if((sock = socket(AF_INET, SOCK_DGRAM, 0)) < 0) { --- libnet-arp-perl.orig/arp_lookup_linux.c +++ libnet-arp-perl/arp_lookup_linux.c @@ -20,6 +20,8 @@ #include <stdio.h> #include <string.h> +#include <sys/types.h> +#include "arp.h" #define _PATH_PROCNET_ARP "/proc/net/arp" @@ -33,14 +35,12 @@ char device[100]; int num, type, flags; - if(strlen(mac) > 0) - strcpy(mac,"unknown"); - else + if (!strlen(mac) || !strlen(ip)) return -1; - if(strlen(ip) == 0) - return -1; - + strncpy(mac,"unknown", HEX_HW_ADDR_LEN); + mac[HEX_HW_ADDR_LEN-1] = '\0'; + if ((fp = fopen(_PATH_PROCNET_ARP, "r")) == NULL) { perror(_PATH_PROCNET_ARP); return (-1); @@ -59,10 +59,10 @@ if ((strlen(dev) == 0 || strcmp(dev, device) == 0) && strcmp(ip, ipaddr) == 0) { - strcpy(mac, hwa); - break; + strncpy(mac, hwa, HEX_HW_ADDR_LEN); + mac[HEX_HW_ADDR_LEN-1] = '\0'; + break; } - strcpy(mac, "unknown"); } }
  Fri May 22 07:13:06 2009 franck.mail [...] dthconnex.com - Reminder 'FTBS on Ubuntu Karmic' added
  Fri May 22 07:15:25 2009 franck.mail [...] dthconnex.com - Subject changed from (no value) to 'FTBS on Ubuntu Karmic'
  Sat May 23 07:19:29 2009 Crazydj [...] chaostal.de - Correspondence added
Seems that this patch was already included in your old patches I took into version 1.0.5? Could you please verify that?
  Sat May 23 07:19:29 2009 The RT System itself - Status changed from 'new' to 'open'
  Sat May 23 07:45:12 2009 franck.mail [...] dthconnex.com - Correspondence added
Le Sam. Mai. 23 07:19:29 2009, CRAZYDJ a écrit : Show quoted text
> Seems that this patch was already included in your old patches I took > into version 1.0.5? Could you please verify that?
You are right :p! As I did not get any answer, I thought you were not interesting in the patch I supplied :(. Therefore, I have fixed the FTBS on Ubuntu through the Debian repository: http://svn.debian.org/viewsvn/pkg-perl/trunk/libnet-arp-perl/ This is the same patch as the one enclosed in this thread. There is no FTBS on Ubuntu anymore. I think I have found a bug in my previous patch (the one sent privately). Could you point me to your repository (or send me a tarball) so I can check what changes you have applied for 1.0.5 and make sure my mistake doee not exist ? The patch I sent you privately change more things in the module. I did only apply what I thought was necessary. Regards,
  Sat May 23 19:45:22 2009 balle [...] chaostal.de - Correspondence added
Subject: Re: [rt.cpan.org #46298] FTBS on Ubuntu Karmic
Date: Sun, 24 May 2009 01:42:07 +0200
To: bug-Net-ARP [...] rt.cpan.org
From: Bastian Ballmann <balle [...] chaostal.de>
Franck Joncourt via RT wrote: Show quoted text
> I think I have found a bug in my previous patch (the one sent > privately). Could you point me to your repository (or send me a > tarball) so I can check what changes you have applied for 1.0.5 and > make sure my mistake doee not exist ? >
I already uploaded it to CPAN. You can grad a tarball of the 1.0.5 source code there. Greets Basti
Download signature.asc
application/pgp-signature 260b

Message body not shown because it is not plain text.

  Sat Jun 22 06:30:34 2013 Crazydj [...] chaostal.de - Correspondence added 5 min
sorry forgot to close the ticket after fixing it in 1.0.5
  Sat Jun 22 06:30:35 2013 Crazydj [...] chaostal.de - Status changed from 'open' to 'resolved'
  Sat Jun 22 06:30:36 2013 Crazydj [...] chaostal.de - Fixed in 1.0.5 added