Ubuntu
ax25-tools package

beacon crashes if the length of the destination exceeds 20

Bug #353219 reported by Andreas Schantin
4
Affects Status Importance Assigned to Milestone
ax25-tools (Debian)
Fix Released
Unknown
ax25-tools (Ubuntu)
Fix Released
Medium
Iulian Udrea

Bug Description

Binary package hint: ax25-tools

The beacon tool crashes if the length of the -d parameter (destination calls and digipeater path) exceeds a length of 20 characters. This seems to happen because the destination path (char *destcall) is copied into addr (char addr[20]) without checking the length. See lines 106 of beacon.c:

...
105 else if (destcall != NULL)
106 strcpy(addr, destcall);
...

Checking the length of destcall before copying should solve the problem:

 if (strlen(destcall) > 20) {
  fprintf(stderr, "beacon: destination (-d) exceeds allowed length\n");
  return 1;
 } else
 strcpy(addr, destcall);

I'd also propose to increase the length of addr a little since 20 characters seems a little few for longer pathes.

Related branches

lp:~kamalmostafa/ubuntu/lucid/ax25-tools/fix-353219-crash
Iulian Udrea: Approve
Ubuntu branches: Pending requested
Diff: 86 lines (+27/-8)
3 files modified
ax25/beacon.c (+16/-7)
debian/changelog (+9/-0)
debian/control (+2/-1)
lp:ubuntu/lucid/ax25-tools
Revision history for this message
Santana (rigosantana3-gmx) wrote :

Report is decriptive enogh to go to dev. This is not really a "bug" but rather an oversight.

Changed in ax25-tools:
status: New → Confirmed
Revision history for this message
Andreas Schantin (andreas-schantin) wrote :

The official (?) site of the ax25-tools http://www.linux-ax25.org/wiki/LinuxAX25 shows that this was already fixed:
http://www.linux-ax25.org/cvsweb/ax25-tools/ax25/beacon.c
Maybe ax25-tools just needs to be repackeged.

Kamal Mostafa (kamalmostafa)
Changed in ax25-tools (Ubuntu):
assignee: nobody → Kamal Mostafa (kamalmostafa)
Revision history for this message
Kamal Mostafa (kamalmostafa) wrote :

I have created a PPA update packages for Karmic and Lucid which include the fix for this bug, cherry-picked from upstream (http://www.linux-ax25.org/cvsweb/ax25-tools/ax25/beacon.c) version ax25_tools_0_0_10_rc1:

    https://launchpad.net/~kamalmostafa/+archive/ax25-tools-fixes

Changed in ax25-tools (Ubuntu):
assignee: Kamal Mostafa (kamalmostafa) → nobody
Iulian Udrea (iulian)
Changed in ax25-tools (Ubuntu):
status: Confirmed → Fix Committed
assignee: nobody → Iulian Udrea (iulian)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ax25-tools - 0.0.8-13.1ubuntu1

---------------
ax25-tools (0.0.8-13.1ubuntu1) lucid; urgency=low

  * Fix beacon -d <longstring> crash (LP: #353219):
    - Cherry-pick fix from upstream ax25_tools_0_0_10_rc1 (www.linux-ax25.org):
      ax25/beacon.c (CVS rev 1.2): important security fix:
        char addr[20] was static and strcpy(addr,.argv[n]) of variable length.
 -- Kamal Mostafa <email address hidden> Tue, 02 Feb 2010 11:36:32 -0800

Changed in ax25-tools (Ubuntu):
status: Fix Committed → Fix Released
Iulian Udrea (iulian)
Changed in ax25-tools (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Kamal Mostafa (kamalmostafa) wrote :

Patch has been forwarded upstream to Debian.

Bug Watch Updater (bug-watch-updater)
Changed in ax25-tools (Debian):
status: Unknown → New
Bug Watch Updater (bug-watch-updater)
Changed in ax25-tools (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.