[Bug 617675] New: tftp crash sending file
http://bugzilla.novell.com/show_bug.cgi?id=617675 http://bugzilla.novell.com/show_bug.cgi?id=617675#c0 Summary: tftp crash sending file Classification: openSUSE Product: openSUSE 11.3 Version: RC 1 Platform: x86 OS/Version: openSUSE 11.3 Status: NEW Severity: Critical Priority: P5 - None Component: Network AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: johann-nikolaus.andreae@nacs.de QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (compatible; Konqueror/4.4; Linux; de) KHTML/4.4.3 (like Gecko) SUSE tftp 192.168.1.1 tftp> binary tftp> rexmt 1 tftp> timeout 60 tftp> trace tftp> put firmware.bin *** buffer overflow detected ***: tftp terminated ======= Backtrace: ========= /lib/libc.so.6(__fortify_fail+0x40)[0xb765b6f0] /lib/libc.so.6(+0xe84e7)[0xb76594e7] /lib/libc.so.6(__strcpy_chk+0x3e)[0xb76587be] tftp[0x8049285] tftp[0x8049761] tftp[0x804ae2d] tftp[0x804b56d] /lib/libc.so.6(__libc_start_main+0xfe)[0xb7587c0e] tftp[0x8049171] ======= Memory map: ======== 08048000-0804e000 r-xp 00000000 08:02 989786 /usr/bin/tftp 0804e000-0804f000 r--p 00005000 08:02 989786 /usr/bin/tftp 0804f000-08050000 rw-p 00006000 08:02 989786 /usr/bin/tftp 08050000-08091000 rw-p 00000000 00:00 0 [heap] b750c000-b7528000 r-xp 00000000 08:02 1125553 /lib/libgcc_s.so.1 b7528000-b7529000 r--p 0001b000 08:02 1125553 /lib/libgcc_s.so.1 b7529000-b752a000 rw-p 0001c000 08:02 1125553 /lib/libgcc_s.so.1 b7570000-b7571000 rw-p 00000000 00:00 0 b7571000-b76d5000 r-xp 00000000 08:02 1125426 /lib/libc-2.11.2.so b76d5000-b76d6000 ---p 00164000 08:02 1125426 /lib/libc-2.11.2.so b76d6000-b76d8000 r--p 00164000 08:02 1125426 /lib/libc-2.11.2.so b76d8000-b76d9000 rw-p 00166000 08:02 1125426 /lib/libc-2.11.2.so b76d9000-b76dc000 rw-p 00000000 00:00 0 b76ea000-b76ed000 rw-p 00000000 00:00 0 b76ed000-b7722000 r--s 00000000 08:02 400331 /var/run/nscd/services b7722000-b7723000 rw-p 00000000 00:00 0 b7723000-b7742000 r-xp 00000000 08:02 1125294 /lib/ld-2.11.2.so b7742000-b7743000 r--p 0001e000 08:02 1125294 /lib/ld-2.11.2.so b7743000-b7744000 rw-p 0001f000 08:02 1125294 /lib/ld-2.11.2.so bffae000-bffcf000 rw-p 00000000 00:00 0 [stack] ffffe000-fffff000 r-xp 00000000 00:00 0 [vdso] Abgebrochen Reproducible: Always -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=617675 http://bugzilla.novell.com/show_bug.cgi?id=617675#c yang xiaoyu <xyyang@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |xyyang@novell.com AssignedTo|bnc-team-screening@forge.pr |mrueckert@novell.com |ovo.novell.com | -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=617675 http://bugzilla.novell.com/show_bug.cgi?id=617675#c Petr Uzel <puzel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P2 - High Status|NEW |ASSIGNED CC| |puzel@novell.com AssignedTo|mrueckert@novell.com |puzel@novell.com -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=617675 http://bugzilla.novell.com/show_bug.cgi?id=617675#c1 Petr Uzel <puzel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #1 from Petr Uzel <puzel@novell.com> 2010-06-29 09:05:00 UTC --- Thanks for the report. The problem is that tftp does not work if built with D_FORTIFY_SOURCE=2 (it generates false positives). I've submitted new version built with D_FORTIFY_SOURCE=1 into Factory. Johann-Nikolaus: please verify that the fix works also for you. TIA -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=617675 http://bugzilla.novell.com/show_bug.cgi?id=617675#c2 --- Comment #2 from Marcus Meissner <meissner@novell.com> 2010-06-29 10:07:43 UTC --- struct tftphdr { short th_opcode; /* packet type */ union { unsigned short tu_block; /* block # */ short tu_code; /* error code */ char tu_stuff[1]; /* request packet stuff */ } __attribute__ ((__packed__)) th_u; char th_data[1]; /* data or error string */ } __attribute__ ((__packed__)); its because it strcpy()s to th_stuff, but the fortify checker code does not detect that the struct is variable length. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=617675 http://bugzilla.novell.com/show_bug.cgi?id=617675#c3 --- Comment #3 from Petr Uzel <puzel@novell.com> 2010-06-29 10:25:28 UTC --- Update: I've just revoked the D_FORTIFY_SOURCE change and used [1] instead. [1] http://cvs.fedoraproject.org/viewvc/rpms/tftp/F-13/tftp-hpa-0.49-fortify-strcpy-crash.patch?revision=1.1&view=markup -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=617675 http://bugzilla.novell.com/show_bug.cgi?id=617675#c4 --- Comment #4 from Bernhard Wiedemann <bwiedemann@suse.com> --- This is an autogenerated message for OBS integration: This bug (617675) was mentioned in https://build.opensuse.org/request/show/42234 Factory / tftp -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com