Package: libwrap0 Version: 7.6.q-19 Severity: grave Tags: patch Justification: renders package unusable
Hi, If a line is more than 2047 bytes long (after backslash removal) in /etc/hosts.allow, libwrap0 will enter an infinite loop. This happened to us, rendering the entire system pretty much unusable since sshd would not accept any new connections, eventually having a ton of child sshd instances burning CPU. I've attached a patch that will properly truncate the line; it's a bit silly to have a limit at all, but as I believe this fix would be proper for stable and a line-limit breaker won't, I'll file that as a separate bug. -- System Information: Debian Release: 6.0.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.39-bpo.2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libwrap0 depends on: ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib Versions of packages libwrap0 recommends: ii tcpd 7.6.q-19 Wietse Venema's TCP wrapper utilit libwrap0 suggests no packages. -- no debconf information
Description: Fix an off-by-one causing infinite loop in xgets(). When a line becomes too long for the given buffer, fgets() will truncate it, but it will still leave one byte free for the trailing zero. This causes xgets() to try fread() calls with a length parameter of one, which succeeds in reading zero bytes (n-1), causing an infinite loop. The fix is simple: Check that we have space for more than just the zero byte before we fgets(). Author: Steinar H. Gunderson <[email protected]> Last-Update: 2011-11-09 --- tcp-wrappers-7.6.q.orig/misc.c +++ tcp-wrappers-7.6.q/misc.c @@ -33,7 +33,7 @@ FILE *fp; int got; char *start = ptr; - while (fgets(ptr, len, fp)) { + while (len > 1 && fgets(ptr, len, fp)) { got = strlen(ptr); if (got >= 1 && ptr[got - 1] == '\n') { tcpd_context.line++;
