Red Hat Bugzilla – Bug 161172
/usr/lib/amanda/chg-scsi causes buffer overflow
Last modified: 2008-03-06 04:29:51 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.4-1.3.1 Firefox/1.0.4
Description of problem:
When executing chg-scsi, a buffer overflow occurs when opening a scsi device. The problem is in changer-src/scsi-changer-driver.c:OpenDevice().
A temporary variable, tmpstr is declared with just 15 bytes, and is first used in
If the string 'pDev.type' is greater than 15 - 8 - 1 = 6 characters, and in my execution of chg-scsi it is the string 'changer', we get a buffer overflow.
Suggest increasing the size of the variable as a temporary measure.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Configure amanda to usr chg-scsi
2. run /usr/lib/amanda/cgh-scsi -info
Actual Results: # /usr/lib/amanda/chg-scsi -info
*** buffer overflow detected ***: /usr/lib/amanda/chg-scsi terminated
======= Backtrace: =========
Expected Results: No buffer overflow
I have the same problem as the reporter but am not certain the diagnosis is
correct. I just installed FC4 on a system which was previously running FC1, and
decided to try the Fedora amanda RPMS. But, I have a copy of Amanda 2.4.4p3
which I compiled myself on FC1. The source I used to build contains the same
declaration of tmpstr, and yet the unmodified chg-scsi executable from that FC1
build works fine on FC4.
FC4 has more extensive buffer overflow checks than FC1; these get put in by the
compiler so binaries compiled on FC1 just silently overflow the buffer while
binaries built on FC4 detect this bug.
This report targets the FC3 or FC4 products, which have now been EOL'd.
Could you please check that it still applies to a current Fedora release, and
either update the target product or close it ?
Bug still present in FC6 as it's using amanda 2.5.0. The bug has been fixed in a
later release of amanda - it's certainaly fixed in amanda-2.5.1p3
FC6 is EOL, closing as WONTFIX
although the fix is in dist CVS, the rpm can't get into repo now...