[Bug 418176] Re: gw6c crashes with buffer overflow on start

Philippe Gauthier philippe.gauthier at deuxpi.ca
Fri Nov 13 16:57:57 UTC 2009 

** Description changed:

  Binary package hint: tspc
  
- The gw6c daemon will crash on start. When I rebuild the gw6c package
- with debug symbols, I no longer get a crash. However, doing this also
- turned compiler optimizations off.
- 
  $ lsb_release -rd
- Description:    Ubuntu karmic (development branch)
+ Description:    Ubuntu 9.10
  Release:        9.10
  
  $ apt-cache policy gw6c
  gw6c:
-   Installé : 6.0.1dfsg.1-3
-   Candidat : 6.0.1dfsg.1-3
-  Table de version :
-  *** 6.0.1dfsg.1-3 0
-         500 http://archive.ubuntu.com karmic/universe Packages
-         100 /var/lib/dpkg/status
+   Installé : 6.0.1dfsg.1-3
+   Candidat : 6.0.1dfsg.1-3
+  Table de version :
+  *** 6.0.1dfsg.1-3 0
+         500 http://archive.ubuntu.com karmic/universe Packages
+         100 /var/lib/dpkg/status
  
- $ sudo /usr/sbin/gw6c
- *** buffer overflow detected ***: /usr/sbin/gw6c terminated
- ======= Backtrace: =========
- /lib/libc.so.6(__fortify_fail+0x37)[0x7f5cb2207437]
- /lib/libc.so.6[0x7f5cb22063e0]
- /usr/sbin/gw6c[0x421496]
- /usr/sbin/gw6c[0x41d1d3]
- /usr/sbin/gw6c[0x41815a]
- /usr/sbin/gw6c[0x405bc4]
- /usr/sbin/gw6c[0x405fb0]
- /usr/sbin/gw6c[0x410d27]
- /lib/libc.so.6(__libc_start_main+0xfd)[0x7f5cb212eacd]
- /usr/sbin/gw6c[0x404ea9]
- ======= Memory map: ========
- 00400000-00430000 r-xp 00000000 fc:00 86668                              /usr/sbin/gw6c
- 0062f000-00630000 r--p 0002f000 fc:00 86668                              /usr/sbin/gw6c
- 00630000-00632000 rw-p 00030000 fc:00 86668                              /usr/sbin/gw6c
- 00632000-00647000 rw-p 00000000 00:00 0
- 01c80000-01ca1000 rw-p 00000000 00:00 0                                  [heap]
- 7f5cb1a70000-7f5cb1af2000 r-xp 00000000 fc:00 3145761                    /lib/libm-2.10.1.so
- 7f5cb1af2000-7f5cb1cf2000 ---p 00082000 fc:00 3145761                    /lib/libm-2.10.1.so
- 7f5cb1cf2000-7f5cb1cf3000 r--p 00082000 fc:00 3145761                    /lib/libm-2.10.1.so
- 7f5cb1cf3000-7f5cb1cf4000 rw-p 00083000 fc:00 3145761                    /lib/libm-2.10.1.so
- 7f5cb1cf4000-7f5cb1d0a000 r-xp 00000000 fc:00 3145774                    /lib/libz.so.1.2.3.3
- 7f5cb1d0a000-7f5cb1f0a000 ---p 00016000 fc:00 3145774                    /lib/libz.so.1.2.3.3
- 7f5cb1f0a000-7f5cb1f0b000 r--p 00016000 fc:00 3145774                    /lib/libz.so.1.2.3.3
- 7f5cb1f0b000-7f5cb1f0c000 rw-p 00017000 fc:00 3145774                    /lib/libz.so.1.2.3.3
- 7f5cb1f0c000-7f5cb1f0e000 r-xp 00000000 fc:00 3145760                    /lib/libdl-2.10.1.so
- 7f5cb1f0e000-7f5cb210e000 ---p 00002000 fc:00 3145760                    /lib/libdl-2.10.1.so
- 7f5cb210e000-7f5cb210f000 r--p 00002000 fc:00 3145760                    /lib/libdl-2.10.1.so
- 7f5cb210f000-7f5cb2110000 rw-p 00003000 fc:00 3145760                    /lib/libdl-2.10.1.so
- 7f5cb2110000-7f5cb2276000 r-xp 00000000 fc:00 3145746                    /lib/libc-2.10.1.so
- 7f5cb2276000-7f5cb2475000 ---p 00166000 fc:00 3145746                    /lib/libc-2.10.1.so
- 7f5cb2475000-7f5cb2479000 r--p 00165000 fc:00 3145746                    /lib/libc-2.10.1.so
- 7f5cb2479000-7f5cb247a000 rw-p 00169000 fc:00 3145746                    /lib/libc-2.10.1.so
- 7f5cb247a000-7f5cb247f000 rw-p 00000000 00:00 0
- 7f5cb247f000-7f5cb2499000 r-xp 00000000 fc:00 229630                     /lib/libgcc_s.so.1
- 7f5cb2499000-7f5cb2698000 ---p 0001a000 fc:00 229630                     /lib/libgcc_s.so.1
- 7f5cb2698000-7f5cb2699000 r--p 00019000 fc:00 229630                     /lib/libgcc_s.so.1
- 7f5cb2699000-7f5cb269a000 rw-p 0001a000 fc:00 229630                     /lib/libgcc_s.so.1
- 7f5cb269a000-7f5cb278a000 r-xp 00000000 fc:00 83848                      /usr/lib/libstdc++.so.6.0.12
- 7f5cb278a000-7f5cb298a000 ---p 000f0000 fc:00 83848                      /usr/lib/libstdc++.so.6.0.12
- 7f5cb298a000-7f5cb2991000 r--p 000f0000 fc:00 83848                      /usr/lib/libstdc++.so.6.0.12
- 7f5cb2991000-7f5cb2993000 rw-p 000f7000 fc:00 83848                      /usr/lib/libstdc++.so.6.0.12
- 7f5cb2993000-7f5cb29a8000 rw-p 00000000 00:00 0
- 7f5cb29a8000-7f5cb29bf000 r-xp 00000000 fc:00 3145772                    /lib/libpthread-2.10.1.so
- 7f5cb29bf000-7f5cb2bbe000 ---p 00017000 fc:00 3145772                    /lib/libpthread-2.10.1.so
- 7f5cb2bbe000-7f5cb2bbf000 r--p 00016000 fc:00 3145772                    /lib/libpthread-2.10.1.so
- 7f5cb2bbf000-7f5cb2bc0000 rw-p 00017000 fc:00 3145772                    /lib/libpthread-2.10.1.so
- 7f5cb2bc0000-7f5cb2bc4000 rw-p 00000000 00:00 0
- 7f5cb2bc4000-7f5cb2d24000 r-xp 00000000 fc:00 3145863                    /lib/libcrypto.so.0.9.8
- 7f5cb2d24000-7f5cb2f24000 ---p 00160000 fc:00 3145863                    /lib/libcrypto.so.0.9.8
- 7f5cb2f24000-7f5cb2f31000 r--p 00160000 fc:00 3145863                    /lib/libcrypto.so.0.9.8
- 7f5cb2f31000-7f5cb2f47000 rw-p 0016d000 fc:00 3145863                    /lib/libcrypto.so.0.9.8
- 7f5cb2f47000-7f5cb2f4b000 rw-p 00000000 00:00 0
- 7f5cb2f4b000-7f5cb2f6a000 r-xp 00000000 fc:00 3145737                    /lib/ld-2.10.1.so
- 7f5cb3135000-7f5cb313a000 rw-p 00000000 00:00 0
- 7f5cb3166000-7f5cb3169000 rw-p 00000000 00:00 0
- 7f5cb3169000-7f5cb316a000 r--p 0001e000 fc:00 3145737                    /lib/ld-2.10.1.so
- 7f5cb316a000-7f5cb316b000 rw-p 0001f000 fc:00 3145737                    /lib/ld-2.10.1.so
- 7fff6ff62000-7fff6ff77000 rw-p 00000000 00:00 0                          [stack]
- 7fff6ffff000-7fff70000000 r-xp 00000000 00:00 0                          [vdso]
- ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
+ How to reproduce:
+ 0. Run Ubuntu on a 64-bit architecture.
+ 1. Edit the configuration in /etc/gw6c/gw6c.conf by setting the "client_v4" parameter to an IP address.
+ 2. Restart the gw6c daemon.
+ 3. Check that the gw6c daemon is running.
+ 
+ The gw6c daemon crashes when started if the client_v4 is set to an IP
+ address instead of the default value of "auto". The reason is a buffer
+ overflow caused by a memcpy from an integer with a length that is
+ dependent of the architecture to an inet_addr(3) structure that is
+ always 32-bit long.

** Description changed:

  Binary package hint: tspc
  
  $ lsb_release -rd
  Description:    Ubuntu 9.10
  Release:        9.10
  
  $ apt-cache policy gw6c
  gw6c:
    Installé : 6.0.1dfsg.1-3
    Candidat : 6.0.1dfsg.1-3
   Table de version :
   *** 6.0.1dfsg.1-3 0
          500 http://archive.ubuntu.com karmic/universe Packages
          100 /var/lib/dpkg/status
  
  How to reproduce:
  0. Run Ubuntu on a 64-bit architecture.
  1. Edit the configuration in /etc/gw6c/gw6c.conf by setting the "client_v4" parameter to an IP address.
  2. Restart the gw6c daemon.
  3. Check that the gw6c daemon is running.
  
  The gw6c daemon crashes when started if the client_v4 is set to an IP
  address instead of the default value of "auto". The reason is a buffer
  overflow caused by a memcpy from an integer with a length that is
- dependent of the architecture to an inet_addr(3) structure that is
- always 32-bit long.
+ dependent of the architecture to an inet_addr_t structure that is always
+ 32-bit long.

-- 
gw6c crashes with buffer overflow on start
https://bugs.launchpad.net/bugs/418176
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

More information about the universe-bugs mailing list