Ubuntu
siege package

coding error can lead to connections going to localhost rather than desired system

Bug #1175869 reported by Michael Hudson-Doyle
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
siege (Debian)
Fix Released
Unknown
siege (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

The bug is present in raring, but also in the upstream 3.0.0 release.

This code from newsocket in sock.c:

  int herrno;
  struct sockaddr_in cli;
  struct hostent *hp;
...
  {
    struct hostent hent;
    char hbf[8192];
    memset(hbf, '\0', sizeof hbf);
    /* for systems using GNU libc */
    if((gethostbyname_r(hostparam, &hent, hbf, sizeof(hbf), &hp, &herrno) < 0)){
      hp = NULL;
    }
  }
  if(hp == NULL){ return -1; }
  memset((void*) &cli, 0, sizeof(cli));
  memcpy(&cli.sin_addr, hp->h_addr, hp->h_length);

invokes undefined behaviour because gethostbyname_r points hp at the 'hent' automatic variable but hp is used after the execution of the scope that declared it, in violation of section 6.2.4 of the C99 standard.

The particular undefined behaviour I see is that cli.sin_addr ends up being all bits 0, and so the connection goes to localhost.

Revision history for this message
Robie Basak (racb) wrote :

Thank you for reporting this bug and helping to make Ubuntu better.

Ideally this bug would be fixed upstream, and we could cherry-pick the patch if necessary, until it filters through in a new release.

I have tried to submit this bug upstream, but have not been able to find an upstream bug tracker. I have tried to contact the author through the web form, but am not sure if he's got the message.

tags: added: needs-upstream-report
Changed in siege (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Michael Hudson-Doyle (mwhudson) wrote : Re: [Bug 1175869] Re: coding error can lead to connections going to localhost rather than desired system

Robie Basak <email address hidden> writes:

> Thank you for reporting this bug and helping to make Ubuntu better.
>
> Ideally this bug would be fixed upstream, and we could cherry-pick the
> patch if necessary, until it filters through in a new release.
>
> I have tried to submit this bug upstream, but have not been able to find
> an upstream bug tracker. I have tried to contact the author through the
> web form, but am not sure if he's got the message.

I've also made contact via the web form and have just sent him a patch
(I also reported a bug in debian:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=706662 -- I probably
did all of these things in the wrong order).

Cheers,
mwh

Revision history for this message
Michael Hudson-Doyle (mwhudson) wrote :

The patch was accepted upstream. I don't know if it'll be included in a distro patch for debian, if so I guess we could pull that across into saucy? Dunno if this is worth a SRU (would be handy for me but...)

Revision history for this message
Robie Basak (racb) wrote :

Thanks for getting this upstreamed!

We can:

 * Wait for Debian, and then the package will automatically sync to Saucy provided this happens before the Debian import freeze.
 * Introduce an Ubuntu delta in Saucy; we'll have to make sure to drop it when Debian pick it up, so that syncs from Debian can resume.
 * Cherry-pick for an SRU to supported releases.

GIven that siege is in main and you have provided a patch, got the change upstream and can provide a test case, I think all three options are reasonable.

Changed in siege (Ubuntu):
status: New → Triaged
Bug Watch Updater (bug-watch-updater)
Changed in siege (Debian):
status: Unknown → Confirmed
Bug Watch Updater (bug-watch-updater)
Changed in siege (Debian):
status: Confirmed → Fix Released
Revision history for this message
Robie Basak (racb) wrote :

The Debian package has now synced to Saucy, so I presume this is fixed in Saucy now, too.

Changed in siege (Ubuntu):
status: Triaged → Fix Released
tags: removed: needs-upstream-report
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.