Re: crash cfengine 2.1.20 Fedora Core 5 Extras

Fri, 05 May 2006 08:34:03 -0700 

Hi Mark

Yes, that worked, thanks a million.
I have reported to bugzilla with a patch limited to that file, hoping they rebuild the package for FC5, meanwhile I have rebuilt the package myself. 

Thanks again, and kind regards, Martin
Mark Burgess wrote:

Martin Wyser wrote:


Hi


I have installed the cfengine 2.1.20 package from Fedora Core 5 
Extras, and when I run it with my previous configuration, cfagent 
fails with the message:


    *** stack smashing detected ***: cfagent terminated
    Aborted


Apparently a problem found by the "Buffer Overflow detection ..." 
mentioned at http://fedora.redhat.com/docs/release-notes/fc5/#id2934140



I installed debuginfo and gdb, and run this with gdb cfagent, run 
--no-splay -v, and after the abort, see the stack trace below.
Note the "out of bounds" at #5, this was actually the first arg to 
HandleIPRange in #6.
Looking closer, I see that arg 2 to FuzzySetMatch is that of an IPv6 
interface being matched against a definition in my cfagent.conf:


        ikr = ( IPRange(129.132.166.67-98) ) #HostRange(ikr,1-32)


This causes trouble at lines 833 and 845 of item.c, which sscanf the 
entire arg 2 of FuzzySetMatch ("fe80::240:63ff:fee2:1ecc") into a 
buffer of length 8, killing the canary on the stack.



I see similar behaviour at line 840 of item.c by crafting a special 
arg in the configuration file (IPRange(123456789....), more than 7 
chars before the dot) - this writes beyond buffer1.



I don't have an easy patch at hand.  First, I think that the address 
family of both args should be checked (false if ipv4 and ipv6 are 
mixed).  Second I was thinking of using stuff like "if (2==sscanf(sp1, 
"%d-%d", &min, &max)) ... else if (1==sscanf(sp1, "%d", &min)) { 
max=min; } ...", but it is not satisfactory either.


I also attach a small test prog isolating the problem.

Kind regards, Martin




Martin,


many thanks for this information. I have increased the buffer sizes in 
the code and the patches are available on the svn/snapshot now.





_______________________________________________
Bug-cfengine mailing list
[email protected]
http://cfengine.org/mailman/listinfo/bug-cfengine






















					Reply via email to