Package: fakechroot
Version: 2.10-2
Severity: important
Tags: patch
The getsockname function in libfakechroot.c ignores the namelen parameter and
overruns the buffer given as name if *namelen is less than sizeof(struct
sockaddr_un).
This can be triggered by executing: fakechroot host 127.0.0.1
glibc detects the buffer overrun and kills the process:
*** stack smashing detected ***: host terminated
According to recent getsockname(2) man pages the result must be truncated if
it's longer
than *namelen. *namelen should then be set to the length of the complete result
so that
the caller can recognize that the result has been truncated. See attached patch
for a
corresponding solution.
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.18-194.11.1.el5 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages fakechroot depends on:
ii libc6 2.11.2-5 Embedded GNU C Library: Shared lib
fakechroot recommends no packages.
Versions of packages fakechroot suggests:
pn libc6-i386 <none> (no description available)
-- no debconf information
diff -ur fakechroot-2.10/src/libfakechroot.c fakechroot-2.10-getsockname/src/libfakechroot.c
--- fakechroot-2.10/src/libfakechroot.c 2010-08-25 15:33:34.000000000 +0200
+++ fakechroot-2.10-getsockname/src/libfakechroot.c 2010-09-11 14:16:31.000000000 +0200
@@ -2098,7 +2098,7 @@
strncpy(newname.sun_path, fakechroot_buf, UNIX_PATH_MAX);
}
- memcpy(name, &newname, sizeof(struct sockaddr_un));
+ memcpy(name, &newname, *namelen < sizeof(struct sockaddr_un) ? *namelen : sizeof(struct sockaddr_un));
*namelen = sizeof(newname.sun_family) + strlen(newname.sun_path);
return status;
}
