Description of problem: Any invalid command line parameters results in a buffer overflow Version-Release number of selected component (if applicable): sipcalc-1.1.4-5.fc15.x86_64 How reproducible: always Steps to Reproduce: 1. run sipcalc with any invalid parameters e.g. 'sipcalc 1' 2. 3. Actual results: $ sipcalc 1 *** buffer overflow detected ***: sipcalc terminated ======= Backtrace: ========= /lib64/libc.so.6(__fortify_fail+0x37)[0x3df2ef7e27] /lib64/libc.so.6[0x3df2ef5e50] /lib64/libc.so.6[0x3df2ef553b] /lib64/libc.so.6(__snprintf_chk+0x78)[0x3df2ef5418] sipcalc[0x4077af] sipcalc[0x4015d8] /lib64/libc.so.6(__libc_start_main+0xed)[0x3df2e2139d] sipcalc[0x4017d9] ======= Memory map: ======== 00400000-0040a000 r-xp 00000000 08:05 136317 /usr/bin/sipcalc 0060a000-0060b000 rw-p 0000a000 08:05 136317 /usr/bin/sipcalc 0060b000-0060c000 rw-p 00000000 00:00 0 0080a000-0080b000 rw-p 0000a000 08:05 136317 /usr/bin/sipcalc 027bd000-027de000 rw-p 00000000 00:00 0 [heap] 3df2600000-3df261f000 r-xp 00000000 08:05 132875 /lib64/ld-2.14.so 3df281e000-3df281f000 r--p 0001e000 08:05 132875 /lib64/ld-2.14.so 3df281f000-3df2820000 rw-p 0001f000 08:05 132875 /lib64/ld-2.14.so 3df2820000-3df2821000 rw-p 00000000 00:00 0 3df2e00000-3df2f8f000 r-xp 00000000 08:05 147624 /lib64/libc-2.14.so 3df2f8f000-3df318f000 ---p 0018f000 08:05 147624 /lib64/libc-2.14.so 3df318f000-3df3193000 r--p 0018f000 08:05 147624 /lib64/libc-2.14.so 3df3193000-3df3194000 rw-p 00193000 08:05 147624 /lib64/libc-2.14.so 3df3194000-3df319a000 rw-p 00000000 00:00 0 3e06a00000-3e06a16000 r-xp 00000000 08:05 157125 /lib64/libnsl-2.14.so 3e06a16000-3e06c15000 ---p 00016000 08:05 157125 /lib64/libnsl-2.14.so 3e06c15000-3e06c16000 r--p 00015000 08:05 157125 /lib64/libnsl-2.14.so 3e06c16000-3e06c17000 rw-p 00016000 08:05 157125 /lib64/libnsl-2.14.so 3e06c17000-3e06c19000 rw-p 00000000 00:00 0 3f31400000-3f31415000 r-xp 00000000 08:05 134826 /lib64/libgcc_s-4.6.1-20110908.so.1 3f31415000-3f31614000 ---p 00015000 08:05 134826 /lib64/libgcc_s-4.6.1-20110908.so.1 3f31614000-3f31615000 rw-p 00014000 08:05 134826 /lib64/libgcc_s-4.6.1-20110908.so.1 7f2d6ff86000-7f2d6ff89000 rw-p 00000000 00:00 0 7f2d6ff9f000-7f2d6ffa1000 rw-p 00000000 00:00 0 7fffe5952000-7fffe5973000 rw-p 00000000 00:00 0 [stack] 7fffe59d4000-7fffe59d5000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] Aborted (core dumped) Expected results: An error message should be generated & usage instructions given. Additional info:
I've grabbed the source RPM sipcalc-1.1.4-5.fc15.src.rpm and compiled sipcalc using the source code there. When I run that instance of sipcalc, it does not dump core but fails gracefully: $ ./sipcalc 1 -[int-ipv4 : 1] - 0 -[ERR : Unable to retrieve interface information] - $
Hello. I can reproduce the issue here. The problem is not present when I try to run the configure script without using the %configure macro and when I pass just the --prefix argument. But that doesn't mean there is no bug in the sources. The final binary is just a little different, what's sometimes sufficient to fully mask the root cause while it's still present. I'm gonna do a deeper analysis. Thanks for reporting. Regards, Jaromir.
I just found the bug ... Writing up to 127 bytes to a 64 bytes long buffer is not very safe. I'm going to fix that. The fixed component will be available soon. BR, J.
Do You need the fixed component in Fedora 15? The fix is currently built for Fedora Rawhide (=17) only. If You need this fix available in Fedora 15 (or 16), then let me know asap, please. Thanks in advance. Regards, Jaromir.
This is not critical for me and I'm happy to use the instance of sipcalc that I compiled. It would be nice for other people to have this fixed in the RPMs for FC15,16 (if it's not too much trouble).
I had to patch the source code heavily, since many string manipulations were unsafe. Therefore I'd like people to test the changes first. It would be nice if You could download and test the f17 version and try as many reasonable combinations of input values and switches as possible. There might be unwanted differences in the output which I haven't noticed yet. Please, let me know if You could do that. Thank You. Regards, Jaromir.
Not comprehensive, but the following appear to be handled gracefully while previously they generated buffer overflows. Further, tested several with valid subnets to ensure results were as expected without seeing an issue. [jwacase@fsa ~]$ rpm -qi sipcalc | grep -i rpm Source RPM : sipcalc-1.1.5-1.fc17.src.rpm 1060 sipcalc /? 1061 sipcalc 192.168.1.1/33 1062 sipcalc 192.168.1.1 /23 1063 sipcalc 0:::0 1066 sipcalc 0::0 /120 1067 sipcalc 192.168.1.1-24 1068 sipcalc 192.168.1.1:24
Hello Jeffrey. Thanks for the feedback. I'm considering the changes as working and going to propagate them to older releases of Fedora.
sipcalc-1.1.5-1.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/sipcalc-1.1.5-1.fc16
sipcalc-1.1.5-1.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/sipcalc-1.1.5-1.fc15
(In reply to comment #8) > Hello Jeffrey. > > Thanks for the feedback. > I'm considering the changes as working and going to propagate them to older > releases of Fedora. Thankyou :)
Package sipcalc-1.1.5-1.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing sipcalc-1.1.5-1.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-1666/sipcalc-1.1.5-1.fc16 then log in and leave karma (feedback).
sipcalc-1.1.5-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
sipcalc-1.1.5-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.