Bug#339588: off-by-one error in server-src/infofile.c, overwriting innocent variables

Thu, 17 Nov 2005 03:33:04 -0800 

Package: amanda-server
Version: 2.4.5-2
Severity: normal

Hi,

I ran into this problem a few days ago...

] s10:~# su backup -c "/usr/sbin/amadmin user due"
] Segmentation fault

... had a look through the source code, and found this...

] (server-src/infofile.h)
]      42 #define NB_HISTORY      100
] [...]
]      69 typedef struct info_s {
]      70     unsigned int  command;              /* command word */
]      71 #       define NO_COMMAND       0       /* no outstanding commands */
]      72 #       define FORCE_FULL       1       /* force level 0 at next run 
*/
]      73 #       define FORCE_BUMP       2       /* force bump at next run */
]      74 #       define FORCE_NO_BUMP    4       /* force no-bump at next run 
*/
]      75     perf_t  full;
]      76     perf_t  incr;
]      77     stats_t inf[DUMP_LEVELS];
]      78     int last_level, consecutive_runs;
]      79     history_t history[NB_HISTORY+1];
]      80 } info_t;

... and this:

] (server-src/infofile.c)
]     277     for(i=0;i<=NB_HISTORY+1;i++) {
]     278         info->history[i].level = -2;
]     279     }

This for loop makes one step too much. (There's even another similar loop in
infofile.c, there they're doing it right). This overwrites another variable
that happens to have been laid out in memory after info...

] (gdb) bt
] #0  0xb7fa40ed in debug_agets () from /usr/lib/libamanda-2.4.5.so
] #1  0xb7fdaa2f in read_txinfofile () from /usr/lib/libamserver-2.4.5.so
] #2  0xb7fdba4a in get_info () from /usr/lib/libamserver-2.4.5.so
] #3  0x0804af99 in due_one (dp=0x8053840) at amadmin.c:716
] #4  0x0804b10a in due (argc=3, argv=0xbffffdb4) at amadmin.c:748
] #5  0x08049c10 in main (argc=3, argv=0xbffffdb4) at amadmin.c:169
] (gdb) c
] Continuing.
] Hardware watchpoint 4: hp
] 
] Old value = (am_host_t *) 0x8054200
] New value = (am_host_t *) 0xfffffffe
] 0xb7fdaaf6 in read_txinfofile () from /usr/lib/libamserver-2.4.5.so
] (gdb) bt
] #0  0xb7fdaaf6 in read_txinfofile () from /usr/lib/libamserver-2.4.5.so
] #1  0xb7fdba4a in get_info () from /usr/lib/libamserver-2.4.5.so
] #2  0x0804af99 in due_one (dp=0x8053840) at amadmin.c:716
] #3  0x0804b10a in due (argc=3, argv=0xbffffdb4) at amadmin.c:748
] #4  0x08049c10 in main (argc=3, argv=0xbffffdb4) at amadmin.c:169
] (gdb) 

... which finally causes the segfault.

] (gdb) c
] Continuing.
] 
] Program received signal SIGSEGV, Segmentation fault.
] 0x0804afed in due_one (dp=0x8053840) at amadmin.c:722
] 722             printf("Overdue %2d day%s %s:%s\n",
] 723                    -days, (-days == 1) ? ": " : "s:",
] 724                    hp->hostname, dp->name);
] (gdb) bt
] #0  0x0804afed in due_one (dp=0x8053840) at amadmin.c:722
] #1  0x0804b10a in due (argc=3, argv=0xbffffdb4) at amadmin.c:748
] #2  0x08049c10 in main (argc=3, argv=0xbffffdb4) at amadmin.c:169
] (gdb) 

(One-liner-)Patch attached. ;)


Regards,

Jan

-- 
Jan C. Nordholz
<jckn At gmx net>

--- amanda-2.4.5/server-src/infofile.c  2005-11-17 12:10:18.000000000 +0100
+++ amanda-2.4.5_new/server-src/infofile.c      2005-11-17 12:13:54.000000000 
+0100
@@ -274,7 +274,7 @@
     rc = 0;
 
     nb_history = 0;
-    for(i=0;i<=NB_HISTORY+1;i++) {
+    for(i=0;i<=NB_HISTORY;i++) {
        info->history[i].level = -2;
     }
     for(rc = -2; (line = agets(infof)) != NULL; free(line)) {

Reply via email to