fbb buffer overflow

Bug #771589 reported by Joey Stanford on 2011-04-27
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
fbb (Ubuntu)
Medium
Unassigned

Bug Description

Binary package hint: fbb

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=11.04
DISTRIB_CODENAME=natty
DISTRIB_DESCRIPTION="Ubuntu 11.04"

Linux Homestead 2.6.38-8-generic #42-Ubuntu SMP Mon Apr 11 03:31:24 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux

joey@Homestead:/etc/ax25/fbb$ fbb
Checking fbb tree.... Ok
Checking fbb configuration :
*********************************************************
* XFBB Linux daemon version 7.04j (Dec 4 2010) PID=4411
* Copyright F6FBB 1986-1999. All rights reserved.
*
* This software is in the public domain. It can be copied
* or installed for any use abiding by the laws.
*
* F6FBB (Jean-Paul ROUBELAT) declines any responsibilty
* in the use of XFBB software.
*
* This software is free of charge, but a 100 FF or 20 US$
* (or more) contribution will be appreciated.
*********************************************************
Parameters set-up
vers : FBB7.03
call : NV0N.NECO.CO.USA.NOAM
ssid : 9
qral : NV0N
city : Longmont
conf : /etc/ax25/fbb
data : /var/ax25/fbb
mess : /var/ax25/fbb/mail
comp : /var/ax25/fbb/binmail
fbbd : *,*,/var/ax25/fbb/fbbdos,*,*,*,*,*
fbbd : <*,*,/var/ax25/fbb/fbbdos,*,*,*,*,*>
0 : {*}
0 : {}
1 : {*}
1 : {}
2 : {/var/ax25/fbb/fbbdos}
2 : {C:\var\ax25\fbb\fbbdos\}
3 : {*}
3 : {}
4 : {*}
4 : {}
5 : {*}
5 : {}
6 : {*}
6 : {}
7 : {*}
7 : {}
yapp : /var/ax25/fbb/fbbdos/yapp
docs : /var/ax25/fbb/docs
name : Joey
syso : NV0N
sysm :
impo : /var/ax25/fbb/mail/mail.in
logs : OK
test : NO
fbbf : OK 160
fbbc : OK 3
aski : OK
mask : 3616
secu : 0 4 59
warn : 255
hous : 2
time : 10 20
maxd : 0 0
loca : -7
beac : 8
scro : 1500 1500 1500
fwdh : [$c] $$:$R
maxb : 30000
life : 30
wpca :
zipc : 000000
unpr : 500 5 P
upba :
dwba :
  pg : /usr/lib/fbb/pg
fdir : /usr/lib/fbb/filter
sdir : /usr/lib/fbb/server
tdir : /usr/lib/fbb/tool
poph :
LINUX virtual paged memory Set-up
Texts set-up
1 language buffers allocated
Init lang ENGLISH
Init lang FRANCAIS
*** buffer overflow detected ***: /usr/sbin/xfbbd terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7f9229eb61d7]
/lib/x86_64-linux-gnu/libc.so.6(+0xfd0f0)[0x7f9229eb50f0]
/lib/x86_64-linux-gnu/libc.so.6(+0xfc569)[0x7f9229eb4569]
/lib/x86_64-linux-gnu/libc.so.6(_IO_default_xsputn+0xd8)[0x7f9229e2cb98]
/lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0x20db)[0x7f9229dff93b]
/lib/x86_64-linux-gnu/libc.so.6(__vsprintf_chk+0x94)[0x7f9229eb4604]
/lib/x86_64-linux-gnu/libc.so.6(__sprintf_chk+0x7a)[0x7f9229eb454a]
/usr/sbin/xfbbd[0x40f7db]
/usr/sbin/xfbbd[0x44070f]
/usr/sbin/xfbbd[0x405a11]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xff)[0x7f9229dd6eff]
/usr/sbin/xfbbd[0x403929]
======= Memory map: ========
00400000-004a9000 r-xp 00000000 08:06 136254 /usr/sbin/xfbbd
006a8000-006a9000 r--p 000a8000 08:06 136254 /usr/sbin/xfbbd
006a9000-006ab000 rw-p 000a9000 08:06 136254 /usr/sbin/xfbbd
006ab000-00743000 rw-p 00000000 00:00 0
0110d000-0112e000 rw-p 00000000 00:00 0 [heap]
7f92296ab000-7f92296c0000 r-xp 00000000 08:06 14549074 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f92296c0000-7f92298bf000 ---p 00015000 08:06 14549074 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f92298bf000-7f92298c0000 r--p 00014000 08:06 14549074 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f92298c0000-7f92298c1000 rw-p 00015000 08:06 14549074 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f92298c1000-7f9229db8000 r--p 00000000 08:06 395887 /usr/lib/locale/locale-archive
7f9229db8000-7f9229f42000 r-xp 00000000 08:06 14552952 /lib/x86_64-linux-gnu/libc-2.13.so
7f9229f42000-7f922a141000 ---p 0018a000 08:06 14552952 /lib/x86_64-linux-gnu/libc-2.13.so
7f922a141000-7f922a145000 r--p 00189000 08:06 14552952 /lib/x86_64-linux-gnu/libc-2.13.so
7f922a145000-7f922a146000 rw-p 0018d000 08:06 14552952 /lib/x86_64-linux-gnu/libc-2.13.so
7f922a146000-7f922a14c000 rw-p 00000000 00:00 0
7f922a14c000-7f922a154000 r-xp 00000000 08:06 137689 /usr/lib/libax25.so.0.0.0
7f922a154000-7f922a353000 ---p 00008000 08:06 137689 /usr/lib/libax25.so.0.0.0
7f922a353000-7f922a354000 r--p 00007000 08:06 137689 /usr/lib/libax25.so.0.0.0
7f922a354000-7f922a355000 rw-p 00008000 08:06 137689 /usr/lib/libax25.so.0.0.0
7f922a355000-7f922a3d9000 r-xp 00000000 08:06 14552989 /lib/x86_64-linux-gnu/libm-2.13.so
7f922a3d9000-7f922a5d8000 ---p 00084000 08:06 14552989 /lib/x86_64-linux-gnu/libm-2.13.so
7f922a5d8000-7f922a5d9000 r--p 00083000 08:06 14552989 /lib/x86_64-linux-gnu/libm-2.13.so
7f922a5d9000-7f922a5da000 rw-p 00084000 08:06 14552989 /lib/x86_64-linux-gnu/libm-2.13.so
7f922a5da000-7f922a5fb000 r-xp 00000000 08:06 14552939 /lib/x86_64-linux-gnu/ld-2.13.so
7f922a7d5000-7f922a7d8000 rw-p 00000000 00:00 0
7f922a7f7000-7f922a7fa000 rw-p 00000000 00:00 0
7f922a7fa000-7f922a7fb000 r--p 00020000 08:06 14552939 /lib/x86_64-linux-gnu/ld-2.13.so
7f922a7fb000-7f922a7fd000 rw-p 00021000 08:06 14552939 /lib/x86_64-linux-gnu/ld-2.13.so
7fffc8a90000-7fffc8ab1000 rw-p 00000000 00:00 0 [stack]
7fffc8bff000-7fffc8c00000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
ENGLISHAborted
Configuration error ! Giving up.

Joey Stanford (joey) wrote :

This could be a config error on my part but wow, a buff overflow? :-)

I haven't figured it out either. The setup script bombed and I had to create the ports file from scratch, but I've gone over and over all the configs and simplified as much as I can to eliminate potential problems, and always get this same result after the languages are done loading.

Dave Gilbert (ubuntu-treblig) wrote :

Yeh can easily reproduce it here on quantal

Dave

Changed in fbb (Ubuntu):
importance: Undecided → Medium
status: New → Confirmed
Dave Gilbert (ubuntu-treblig) wrote :

Wow - this is a Y2K bug; welcome to the 21st century!
looking at src/console.c we have in aff_date:
        char cdate[19];

        sdate = localtime (&temps);
#ifdef ENGLISH
        sprintf (cdate, " %02d-%02d-%02d %02d:%02d",
                         sdate->tm_year, sdate->tm_mon + 1, sdate->tm_mday,
                         sdate->tm_hour, sdate->tm_min);
#else
        sprintf (cdate, " %02d/%02d/%02d %02d:%02d",
                         sdate->tm_mday, sdate->tm_mon + 1, sdate->tm_year,
                         sdate->tm_hour, sdate->tm_min);
#endif

the problem is that sdate->tm_year is 112 which makes the sprintf print a string like

 " 112-08-19 16:58"
which is 19 characters, add the \0 terminator and it's 20 characters - so it is a buffer overrun.

Dave

Changed in fbb (Ubuntu):
status: Confirmed → Triaged
Dave Gilbert (ubuntu-treblig) wrote :

This was fixed upstream in 7.04r.2.1 - so we do need the new version pulled in.

There is a debian bug requesting an update:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607028

that has a package that's still a bit too old attached to it.

Dave

Dave Gilbert (ubuntu-treblig) wrote :

Correction, John Goerzen's package source in debian 607028 is new enough to fix this - I don't have a TNC setup to
test it in reality; but it starts up unlike the current Ubuntu package.

John's package builds from source if I swizzle line 163 of src/Makefile so that the -lncurses is at the end.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.