Re: crash cfengine 2.1.20 Fedora Core 5 Extras

Sun, 30 Apr 2006 03:34:21 -0700 

Martin Wyser wrote:

Hi
I have installed the cfengine 2.1.20 package from Fedora Core 5 Extras, and when I run it with my previous configuration, cfagent fails with the message: 

    *** stack smashing detected ***: cfagent terminated
    Aborted
Apparently a problem found by the "Buffer Overflow detection ..." mentioned at http://fedora.redhat.com/docs/release-notes/fc5/#id2934140
I installed debuginfo and gdb, and run this with gdb cfagent, run --no-splay -v, and after the abort, see the stack trace below. Note the "out of bounds" at #5, this was actually the first arg to HandleIPRange in #6. Looking closer, I see that arg 2 to FuzzySetMatch is that of an IPv6 interface being matched against a definition in my cfagent.conf: 

        ikr = ( IPRange(129.132.166.67-98) ) #HostRange(ikr,1-32)
This causes trouble at lines 833 and 845 of item.c, which sscanf the entire arg 2 of FuzzySetMatch ("fe80::240:63ff:fee2:1ecc") into a buffer of length 8, killing the canary on the stack.
I see similar behaviour at line 840 of item.c by crafting a special arg in the configuration file (IPRange(123456789....), more than 7 chars before the dot) - this writes beyond buffer1.
I don't have an easy patch at hand. First, I think that the address family of both args should be checked (false if ipv4 and ipv6 are mixed). Second I was thinking of using stuff like "if (2==sscanf(sp1, "%d-%d", &min, &max)) ... else if (1==sscanf(sp1, "%d", &min)) { max=min; } ...", but it is not satisfactory either. 

I also attach a small test prog isolating the problem.

Kind regards, Martin




Martin,
many thanks for this information. I have increased the buffer sizes in the code and the patches are available on the svn/snapshot now. 

--
Mark Burgess

Professor of Network and System Administration
Oslo University College

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Work: +47 22453272            Email:  [EMAIL PROTECTED]
Fax : +47 22453205            WWW  :  http://www.iu.hio.no/~mark
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
_______________________________________________
Bug-cfengine mailing list
[email protected]
http://cfengine.org/mailman/listinfo/bug-cfengine

Reply via email to