Bug 176714 - *** stack smashing detected ***: /sbin/ifconfig terminated
*** stack smashing detected ***: /sbin/ifconfig terminated
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: net-tools (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Radek Vokal
Ben Levenson
:
: 176563 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-12-30 12:58 EST by Warren Togami
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version: 1.60-58
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-01-02 05:21:04 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
improve memory handling in interface.c (2.56 KB, patch)
2005-12-30 14:20 EST, Ulrich Drepper
no flags Details | Diff

  None (edit)
Description Warren Togami 2005-12-30 12:58:45 EST
IBM Thinkpad T41
kernel-2.6.14-1.1786_FC5
net-tools-1.60-57.1
eth0: ipw2200 with Intel 2915 ABG miniPCI
eth1: e1000

NetworkManager bringing up and down wireless and wired interfaces doesn't seem
to effect ifconfig's crashing.

[root@caprica ~]# gdb ifconfig
GNU gdb Red Hat Linux (6.3.0.0-1.94rh)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...Using host libthread_db
library "/lib/libthread_db.so.1".

(gdb) run
Starting program: /sbin/ifconfig
Reading symbols from shared object read from target memory...done.
Loaded system supplied DSO at 0x80f000
*** stack smashing detected ***: /sbin/ifconfig terminated

Program received signal SIGABRT, Aborted.
0x0080f402 in __kernel_vsyscall ()
(gdb) bt
#0  0x0080f402 in __kernel_vsyscall ()
#1  0x00173f7c in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:67
#2  0x001753e3 in *__GI_abort () at abort.c:88
#3  0x001a838b in __libc_message (do_abort=1, fmt=0x265078 "*** stack smashing
detected ***: %s terminated\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:170
#4  0x00228025 in __stack_chk_fail () at stack_chk_fail.c:31
#5  0x080515d7 in if_readlist_proc (target=Variable "target" is not available.
) at interface.c:373
#6  0x080515e4 in if_readlist () at interface.c:415
#7  0x08051795 in for_all_interfaces (doit=0x8050ea5 <do_if_print>,
cookie=0x8058140) at interface.c:134
#8  0x080499d0 in if_print (ifname=0x0) at ifconfig.c:113
#9  0x0804a87c in main (argc=0, argv=Cannot access memory at address 0x3676
) at ifconfig.c:357
#10 0x001615b4 in __libc_start_main (main=0x8049f40 <main>, argc=1,
ubp_av=0xbfbbdcd4, init=0x8053984 <__libc_csu_init>,
    fini=0x80539e0 <__libc_csu_fini>, rtld_fini=0x13cdd0 <_dl_fini>,
stack_end=0xbfbbdccc) at libc-start.c:231
#11 0x08049381 in _start ()
(gdb)
Comment 1 Ulrich Drepper 2005-12-30 14:20:36 EST
Created attachment 122643 [details]
improve memory handling in interface.c

Consider using the attached patch.  It replaces the memory handling in the
function listed in the backtrace and one similar function.  There are two
buffers on the stack used.  Both uses are questionable at best.  My guess is
that the name buffer overflows because of a too-long interface name.  There is
no limit check.  This overflow is ridiculous since there is really no need for
an additional buffer in the first place.

The patch does away with the extra buffer (but I kept the copying, although it
should be unnecessary, too) just to minimize the changes.  In addition, instead
of using fgets which has problems with long lines the new code uses getline
which handles all the memory allocation itself.

There are more limits on the interface name length.  See add_interface.  But
those should bomb, at least not due to buffer overflows.
Comment 2 Radek Vokal 2006-01-02 05:06:07 EST
*** Bug 176563 has been marked as a duplicate of this bug. ***
Comment 3 Radek Vokal 2006-01-02 05:21:04 EST
Patch looks good, thanks a lot. Applying on rawhide.

Note You need to log in before you can comment on or make changes to this bug.