Bug 782324

Summary: sipcalc buffer overflow
Product: [Fedora] Fedora Reporter: IanB <bugzilla.blk>
Component: sipcalcAssignee: Jaromír Cápík <jcapik>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 15CC: dwmw2, jcapik, jwacaser, ovasik
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: sipcalc-1.1.5-1.fc15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-01 09:23:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description IanB 2012-01-17 07:11:03 UTC 
Description of problem:

Any invalid command line parameters results in a buffer overflow


Version-Release number of selected component (if applicable):

sipcalc-1.1.4-5.fc15.x86_64

How reproducible:

always


Steps to Reproduce:
1. run sipcalc with any invalid parameters e.g. 'sipcalc 1'
2.
3.
  
Actual results:

$ sipcalc 1
*** buffer overflow detected ***: sipcalc terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x3df2ef7e27]
/lib64/libc.so.6[0x3df2ef5e50]
/lib64/libc.so.6[0x3df2ef553b]
/lib64/libc.so.6(__snprintf_chk+0x78)[0x3df2ef5418]
sipcalc[0x4077af]
sipcalc[0x4015d8]
/lib64/libc.so.6(__libc_start_main+0xed)[0x3df2e2139d]
sipcalc[0x4017d9]
======= Memory map: ========
00400000-0040a000 r-xp 00000000 08:05 136317                             /usr/bin/sipcalc
0060a000-0060b000 rw-p 0000a000 08:05 136317                             /usr/bin/sipcalc
0060b000-0060c000 rw-p 00000000 00:00 0 
0080a000-0080b000 rw-p 0000a000 08:05 136317                             /usr/bin/sipcalc
027bd000-027de000 rw-p 00000000 00:00 0                                  [heap]
3df2600000-3df261f000 r-xp 00000000 08:05 132875                         /lib64/ld-2.14.so
3df281e000-3df281f000 r--p 0001e000 08:05 132875                         /lib64/ld-2.14.so
3df281f000-3df2820000 rw-p 0001f000 08:05 132875                         /lib64/ld-2.14.so
3df2820000-3df2821000 rw-p 00000000 00:00 0 
3df2e00000-3df2f8f000 r-xp 00000000 08:05 147624                         /lib64/libc-2.14.so
3df2f8f000-3df318f000 ---p 0018f000 08:05 147624                         /lib64/libc-2.14.so
3df318f000-3df3193000 r--p 0018f000 08:05 147624                         /lib64/libc-2.14.so
3df3193000-3df3194000 rw-p 00193000 08:05 147624                         /lib64/libc-2.14.so
3df3194000-3df319a000 rw-p 00000000 00:00 0 
3e06a00000-3e06a16000 r-xp 00000000 08:05 157125                         /lib64/libnsl-2.14.so
3e06a16000-3e06c15000 ---p 00016000 08:05 157125                         /lib64/libnsl-2.14.so
3e06c15000-3e06c16000 r--p 00015000 08:05 157125                         /lib64/libnsl-2.14.so
3e06c16000-3e06c17000 rw-p 00016000 08:05 157125                         /lib64/libnsl-2.14.so
3e06c17000-3e06c19000 rw-p 00000000 00:00 0 
3f31400000-3f31415000 r-xp 00000000 08:05 134826                         /lib64/libgcc_s-4.6.1-20110908.so.1
3f31415000-3f31614000 ---p 00015000 08:05 134826                         /lib64/libgcc_s-4.6.1-20110908.so.1
3f31614000-3f31615000 rw-p 00014000 08:05 134826                         /lib64/libgcc_s-4.6.1-20110908.so.1
7f2d6ff86000-7f2d6ff89000 rw-p 00000000 00:00 0 
7f2d6ff9f000-7f2d6ffa1000 rw-p 00000000 00:00 0 
7fffe5952000-7fffe5973000 rw-p 00000000 00:00 0                          [stack]
7fffe59d4000-7fffe59d5000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted (core dumped)


Expected results:

An error message should be generated & usage instructions given.

Additional info:
Comment 1 IanB 2012-01-18 03:44:01 UTC 
I've grabbed the source RPM sipcalc-1.1.4-5.fc15.src.rpm and compiled sipcalc using the source code there. When I run that instance of sipcalc, it does not dump core but fails gracefully:

$ ./sipcalc 1
-[int-ipv4 : 1] - 0

-[ERR : Unable to retrieve interface information]

-
$
Comment 2 Jaromír Cápík 2012-01-24 15:12:59 UTC 
Hello.

I can reproduce the issue here.
The problem is not present when I try to run the configure script without using the %configure macro and when I pass just the --prefix argument.
But that doesn't mean there is no bug in the sources. The final binary is just a little different, what's sometimes sufficient to fully mask the root cause while it's still present.

I'm gonna do a deeper analysis.

Thanks for reporting.

Regards,
Jaromir.
Comment 3 Jaromír Cápík 2012-01-24 15:36:45 UTC 
I just found the bug ...

Writing up to 127 bytes to a 64 bytes long buffer is not very safe.
I'm going to fix that. 
The fixed component will be available soon.

BR, J.
Comment 4 Jaromír Cápík 2012-01-24 18:48:25 UTC 
Do You need the fixed component in Fedora 15? 
The fix is currently built for Fedora Rawhide (=17) only.
If You need this fix available in Fedora 15 (or 16), then let me know asap, please.
Thanks in advance.

Regards,
Jaromir.
Comment 5 IanB 2012-01-25 03:05:16 UTC 
This is not critical for me and I'm happy to use the instance of sipcalc that I compiled. It would be nice for other people to have this fixed in the RPMs for FC15,16 (if it's not too much trouble).
Comment 6 Jaromír Cápík 2012-01-30 16:31:34 UTC 
I had to patch the source code heavily, since many string manipulations were unsafe. Therefore I'd like people to test the changes first. It would be nice if You could download and test the f17 version and try as many reasonable combinations of input values and switches as possible. There might be unwanted differences in the output which I haven't noticed yet.
Please, let me know if You could do that.
Thank You.

Regards,
Jaromir.
Comment 7 Jeffrey Wacaser 2012-01-30 19:48:16 UTC 
Not comprehensive, but the following appear to be handled gracefully while previously they generated buffer overflows.  Further, tested several with valid subnets to ensure results were as expected without seeing an issue.

[jwacase@fsa ~]$ rpm -qi sipcalc | grep -i rpm
Source RPM  : sipcalc-1.1.5-1.fc17.src.rpm

 1060  sipcalc /?
 1061  sipcalc 192.168.1.1/33
 1062  sipcalc 192.168.1.1 /23
 1063  sipcalc 0:::0
 1066  sipcalc 0::0 /120
 1067  sipcalc 192.168.1.1-24
 1068  sipcalc 192.168.1.1:24
Comment 8 Jaromír Cápík 2012-02-14 18:15:08 UTC 
Hello Jeffrey.

Thanks for the feedback.
I'm considering the changes as working and going to propagate them to older releases of Fedora.
Comment 9 Fedora Update System 2012-02-14 18:44:05 UTC 
sipcalc-1.1.5-1.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/sipcalc-1.1.5-1.fc16
Comment 10 Fedora Update System 2012-02-14 18:46:23 UTC 
sipcalc-1.1.5-1.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/sipcalc-1.1.5-1.fc15
Comment 11 IanB 2012-02-15 02:18:31 UTC 
(In reply to comment #8)
> Hello Jeffrey.
> 
> Thanks for the feedback.
> I'm considering the changes as working and going to propagate them to older
> releases of Fedora.

Thankyou :)
Comment 12 Fedora Update System 2012-02-15 11:28:24 UTC 
Package sipcalc-1.1.5-1.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing sipcalc-1.1.5-1.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-1666/sipcalc-1.1.5-1.fc16
then log in and leave karma (feedback).
Comment 13 Fedora Update System 2012-03-01 09:23:06 UTC 
sipcalc-1.1.5-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2012-03-01 09:27:19 UTC 
sipcalc-1.1.5-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.