|Summary:||/usr/lib/amanda/chg-scsi causes buffer overflow|
|Product:||[Fedora] Fedora||Reporter:||Burn Alting <burn>|
|Component:||amanda||Assignee:||Radek Brich <rbrich>|
|Status:||CLOSED WONTFIX||QA Contact:|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2008-03-06 09:29:51 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description Burn Alting 2005-06-21 00:45:56 UTC
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.4-1.3.1 Firefox/1.0.4 Description of problem: When executing chg-scsi, a buffer overflow occurs when opening a scsi device. The problem is in changer-src/scsi-changer-driver.c:OpenDevice(). A temporary variable, tmpstr is declared with just 15 bytes, and is first used in sprintf(&tmpstr,"%s_%s","generic",pDev.type); If the string 'pDev.type' is greater than 15 - 8 - 1 = 6 characters, and in my execution of chg-scsi it is the string 'changer', we get a buffer overflow. Suggest increasing the size of the variable as a temporary measure. Version-Release number of selected component (if applicable): amanda-2.4.5-2 How reproducible: Always Steps to Reproduce: 1. Configure amanda to usr chg-scsi 2. run /usr/lib/amanda/cgh-scsi -info 3. Actual Results: # /usr/lib/amanda/chg-scsi -info *** buffer overflow detected ***: /usr/lib/amanda/chg-scsi terminated ======= Backtrace: ========= ... Expected Results: No buffer overflow Additional info:
Comment 1 Stephen Walton 2005-11-05 18:21:07 UTC
I have the same problem as the reporter but am not certain the diagnosis is correct. I just installed FC4 on a system which was previously running FC1, and decided to try the Fedora amanda RPMS. But, I have a copy of Amanda 2.4.4p3 which I compiled myself on FC1. The source I used to build contains the same declaration of tmpstr, and yet the unmodified chg-scsi executable from that FC1 build works fine on FC4.
Comment 2 Arjan van de Ven 2005-11-07 09:16:05 UTC
FC4 has more extensive buffer overflow checks than FC1; these get put in by the compiler so binaries compiled on FC1 just silently overflow the buffer while binaries built on FC4 detect this bug.
Comment 3 Christian Iseli 2007-01-22 10:11:01 UTC
This report targets the FC3 or FC4 products, which have now been EOL'd. Could you please check that it still applies to a current Fedora release, and either update the target product or close it ? Thanks.
Comment 4 Burn Alting 2007-02-20 06:08:08 UTC
Bug still present in FC6 as it's using amanda 2.5.0. The bug has been fixed in a later release of amanda - it's certainaly fixed in amanda-2.5.1p3
Comment 5 Radek Brich 2008-03-06 09:29:51 UTC
FC6 is EOL, closing as WONTFIX although the fix is in dist CVS, the rpm can't get into repo now...