Building 7.21.3 with glibc and _FORTIFY_SOURCE=2 results in a crash of
the tftp server whilst running the test suite (when it has to process
its first error condition):
*** buffer overflow detected ***: server/tftpd terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x4d)[0x20680d]
/lib/libc.so.6(+0xf482a)[0x20482a]
/lib/libc.so.6(__strcpy_chk+0x3f)[0x203adf]
server/tftpd[0x804c0e1]
server/tftpd[0x804d896]
/lib/libc.so.6(__libc_start_main+0xe6)[0x126e16]
server/tftpd[0x8048fe1]
It was easy to identify the source of this problem since there's only
one call of strcpy() in tftpd.c. The issue looks very similar to the one
described here:
https://bugzilla.redhat.com/show_bug.cgi?id=515361
However, in this case we *are* writing to the last field...
Attached patch, based on the suggestion solution in the above ticket,
works for me.
Paul.
--- curl-7.21.3/tests/server/tftpd.c.orig 2010-12-01 18:45:49.000000000 +0000
+++ curl-7.21.3/tests/server/tftpd.c 2010-12-16 13:19:13.489446036 +0000
@@ -1291,8 +1291,8 @@
pe->e_msg = strerror(error - 100);
tp->th_code = EUNDEF; /* set 'undef' errorcode */
}
- strcpy(tp->th_msg, pe->e_msg);
length = (int)strlen(pe->e_msg);
+ memcpy(tp->th_msg, pe->e_msg, length + 1);
tp->th_msg[length] = '\0';
length += 5;
if (swrite(peer, &buf.storage[0], length) != length)
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
