coding error can lead to connections going to localhost rather than desired system
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
siege (Debian) |
Fix Released
|
Unknown
|
|||
siege (Ubuntu) |
Fix Released
|
Medium
|
Unassigned |
Bug Description
The bug is present in raring, but also in the upstream 3.0.0 release.
This code from newsocket in sock.c:
int herrno;
struct sockaddr_in cli;
struct hostent *hp;
...
{
struct hostent hent;
char hbf[8192];
memset(hbf, '\0', sizeof hbf);
/* for systems using GNU libc */
if(
hp = NULL;
}
}
if(hp == NULL){ return -1; }
memset((void*) &cli, 0, sizeof(cli));
memcpy(
invokes undefined behaviour because gethostbyname_r points hp at the 'hent' automatic variable but hp is used after the execution of the scope that declared it, in violation of section 6.2.4 of the C99 standard.
The particular undefined behaviour I see is that cli.sin_addr ends up being all bits 0, and so the connection goes to localhost.
Changed in siege (Debian): | |
status: | Unknown → Confirmed |
Changed in siege (Debian): | |
status: | Confirmed → Fix Released |
Thank you for reporting this bug and helping to make Ubuntu better.
Ideally this bug would be fixed upstream, and we could cherry-pick the patch if necessary, until it filters through in a new release.
I have tried to submit this bug upstream, but have not been able to find an upstream bug tracker. I have tried to contact the author through the web form, but am not sure if he's got the message.