Gearman

Bug #1319250
Comment #0

Comment 0 for bug 1319250

Revision history for this message

Andy B (u-launchpad-x) wrote on 2014-05-14:

version 1.1.12

Complete corruption of IPv6 addresses in gearadmin --workers and log output.

Steps to reproduce:

1. start gearmand
2. on ipv6 localhost: gearadmin -h ::1 --workers
3. on ipv6 link-local: gearadmin -h fe80::a00:27ff:fe34:3379%eth0 --workers

Actual output for 2:
33 ::e8bf:8995:757f:0%33 - :
.
Actual output for 3:
33 fe80::e8bf:444b:657f:0%33 - :
.

Expected output for 2:
33 ::1 - :
.
Expected output for 3:
33 fe80::e8bf:444b:657f:0%33 - :
.

This is due to struct sockaddr not being big enough to hold struct sockaddr_in6. struct sockaddr_storage is supposed to be used for this. Attached patches fixes this.

I did not observe a crash from this, but it appears that data beyond the end of the structure is being accessed (I've observed the ipv6 scope identifier being the same value as the worker offset, 33 and %33 as shown above, in every case during my research), which may be exploitable to cause a DOS.