zhangph <[email protected]> writes: > Hello GNU inetutils maintainers, > > I am reporting a heap out-of-bounds read in the talkd daemon (ntalk / > BSD talk protocol over UDP). The bug is confirmed with > AddressSanitizer on a real compiled build of upstream GNU inetutils > talkd; inetutils talkd is not covered by OSS-Fuzz. I am following > coordinated disclosure and have not published this report.
This is a public list. For future reference you can use [email protected] for a private report. Given that issue, the formatting of your message, the number of reports you sent yesterday (5 in GNU Mailutils, 2 in GNU Inetutils, 1 in GNU SASL, 1 in GNU Radius, likely others), the duplicates you sent earlier on this list, and other reasons addressed later, I am a bit skeptical of your testing of these reports. > # 2. Configure; disable optional deps to keep the build minimal. > CC=clang CFLAGS="-g -O1 -fsanitize=address -fno-omit-frame-pointer" \ > LDFLAGS="-fsanitize=address" \ > ./configure --disable-dependency-tracking --disable-encryption \ > --without-libedit --without-ncurses --without-pam \ > --without-wrap --without-readline >/dev/null The ./configure script is buggy and fails. This has a nice benefit in this case, because it shows me that you never actually ran this command: $ ./configure --disable-dependency-tracking --disable-encryption \ --without-libedit --without-ncurses --without-pam --without-wrap \ --without-readline > /dev/null; echo $? configure: WARNING: unrecognized options: --without-libedit, --without-ncurses, --without-readline configure: error: --enable-encryption is given, but a Kerberos version is not provided 1 > ```sh > # talkd built with ASAN above, launched for testing on a high port. > talkd/talkd -S -l -d # uses the kernel-assigned / inetd-supplied socket > > # Send the reconstructed .bin as one 84-byte UDP datagram: > socat - V4-UDP-DATAGRAM:127.0.0.1:518 < inetutils-talkd-ctm-lg-heap-oob.bin > # or: > nc -u -w1 127.0.0.1 518 < inetutils-talkd-ctm-lg-heap-oob.bin > ``` This doesn't trigger ASAN for me. Given the other issues that I mentioned, I find it a bit difficult to believe you actually tested this. Collin
