Package: siege
Version: 2.70-4
Severity: important
Tags: upstream
Dear Maintainer,
This bug is still in the upstream 3.0.0 release.
This code from newsocket in sock.c:
int herrno;
struct sockaddr_in cli;
struct hostent *hp;
...
{
struct hostent hent;
char hbf[8192];
memset(hbf, '\0', sizeof hbf);
/* for systems using GNU libc */
if((gethostbyname_r(hostparam, &hent, hbf, sizeof(hbf), &hp, &herrno) < 0)){
hp = NULL;
}
}
if(hp == NULL){ return -1; }
memset((void*) &cli, 0, sizeof(cli));
memcpy(&cli.sin_addr, hp->h_addr, hp->h_length);
invokes undefined behaviour because gethostbyname_r points hp at the 'hent'
automatic variable but hp is used after the execution of the scope that
declared it, in violation of section 6.2.4 of the C99 standard.
The particular undefined behaviour I see is that cli.sin_addr ends up being all
bits 0, and so the connection goes to localhost.
I've emailed the upstream author about this.
I admit that I have not verified that the bug manifests on Debian, only Ubuntu.
But the bug in the code is definitely there.
Cheers,
mwh
-- System Information:
Debian Release: wheezy/sid
APT prefers raring-updates
APT policy: (500, 'raring-updates'), (500, 'raring-security'), (500,
'raring-proposed'), (500, 'raring'), (100, 'raring-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.8.0-19-generic (SMP w/4 CPU cores)
Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages siege depends on:
ii libc6 2.17-0ubuntu5
ii libssl1.0.0 1.0.1c-4ubuntu8
siege recommends no packages.
siege suggests no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
