Watching ARP traffic with tcpdump while running arpwatch has narrowed
this down to an overflow within name resolution functions.
On every instance that arpwatch terminated, I found that the next ARP
packet involved a particular host that had an excessively long hostname
in the DNS - 37 characters, or 55 as a fully qualified hostname, which
I'm assuming is overflowing some buffer.
While this problem is therefore unlikely to affect many others, there
clearly is code that is writing data into a buffer that is of
insufficent size:
In db.c, in function elist_alloc() (line 297 in current revision)
strcpy is being used to write the hostname into a fixed length char[34]
(defined in struct einfo{}, line 65 same file) with no checking of size.
This looks to be a simple fix, but currently don't have time to learn
the debian/ubuntu development methodologies to submit a patch, so have
renamed my excessive hostname and hopefully the maintainer can at some
point change the strcpy to a strncpy. (I note that a couple of lines
below, the storing of the interface name is done with strncpy...)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1097289
Title:
arpwatch terminated with buffer overflow
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/arpwatch/+bug/1097289/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
