Re: crash cfengine 2.1.20 Fedora Core 5 Extras

Fri, 05 May 2006 14:42:50 -0700 

Yeah, I plan to have it pushed out next week to the Fedora Extras repo.

Thanks,
Jeff

On May 5, 2006, at 8:20 AM, Martin Wyser wrote:


Hi Mark

Yes, that worked, thanks a million.
I have reported to bugzilla with a patch limited to that file, hoping they rebuild the package for FC5, meanwhile I have rebuilt the package myself. 

Thanks again, and kind regards, Martin
Mark Burgess wrote:

Martin Wyser wrote:

Hi
I have installed the cfengine 2.1.20 package from Fedora Core 5 Extras, and when I run it with my previous configuration, cfagent fails with the message: 

    *** stack smashing detected ***: cfagent terminated
    Aborted
Apparently a problem found by the "Buffer Overflow detection ..." mentioned at http://fedora.redhat.com/docs/release-notes/fc5/ #id2934140
I installed debuginfo and gdb, and run this with gdb cfagent, run --no-splay -v, and after the abort, see the stack trace below. Note the "out of bounds" at #5, this was actually the first arg to HandleIPRange in #6. Looking closer, I see that arg 2 to FuzzySetMatch is that of an IPv6 interface being matched against a definition in my cfagent.conf: 

        ikr = ( IPRange(129.132.166.67-98) ) #HostRange(ikr,1-32)
This causes trouble at lines 833 and 845 of item.c, which sscanf the entire arg 2 of FuzzySetMatch ("fe80::240:63ff:fee2:1ecc") into a buffer of length 8, killing the canary on the stack.
I see similar behaviour at line 840 of item.c by crafting a special arg in the configuration file (IPRange(123456789....), more than 7 chars before the dot) - this writes beyond buffer1.
I don't have an easy patch at hand. First, I think that the address family of both args should be checked (false if ipv4 and ipv6 are mixed). Second I was thinking of using stuff like "if (2==sscanf(sp1, "%d-%d", &min, &max)) ... else if (1==sscanf(sp1, "%d", &min)) { max=min; } ...", but it is not satisfactory either. 

I also attach a small test prog isolating the problem.

Kind regards, Martin



Martin,
many thanks for this information. I have increased the buffer sizes in the code and the patches are available on the svn/ snapshot now. 


_______________________________________________
Bug-cfengine mailing list
[email protected]
http://cfengine.org/mailman/listinfo/bug-cfengine


_______________________________________________
Bug-cfengine mailing list
[email protected]
http://cfengine.org/mailman/listinfo/bug-cfengine

Reply via email to