buffer overflow parsing if_inet6
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openjdk-7 (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Hi.
The contents of /proc/net/if_inet6:
fe8000000000000
fe8000000000000
fe8000000000000
fe8000000000000
fe8000000000000
fe8000000000000
fe8000000000000
fe8000000000000
fe8000000000000
fe8000000000000
000000000000000
Starting my application results in:
*** buffer overflow detected ***: /home/user/
======= Backtrace: =========
/lib/x86_
/lib/x86_
/home/user/
/home/user/
/home/user/
Backtrace:
#0 0x00007ffff78643a5 in __GI_raise (sig=6) at ../nptl/
#1 0x00007ffff7867b0b in __GI_abort () at abort.c:92
#2 0x00007ffff789dd63 in __libc_message (do_abort=2, fmt=0x7ffff798d39e "*** %s ***: %s terminated\n") at ../sysdeps/
#3 0x00007ffff79284f7 in __GI___fortify_fail (msg=0x7ffff798d335 "buffer overflow detected") at fortify_fail.c:32
#4 0x00007ffff7927410 in __GI___chk_fail () at chk_fail.c:29
#5 0x00007fffe7dee78d in strcpy (__src=<optimized out>, __dest=
#6 addif (env=0xb329d0, sock=57, if_name=<optimized out>, ifs=0x8f24a0, ifr_addrP=
at ../../.
#7 0x00007fffe7deeff5 in enumIPv6Interfaces (ifs=0x8f24a0, sock=57, env=0xb329d0) at ../../.
These are the values of devname the while loop at NetworkInterfac
dev: eth3
dev: veth4pXXGI
dev: 80
dev: 158
dev: 3efffe49ac43
dev: fc163efffefa2220
dev: fc163efffe8fb8ba
dev: fc163efffeaeaa2a
dev: fc163efffe53e706
dev: fc163efffed50b59
dev: 022590fffe1a48e6
dev: 000000000001
dev: 000000000001
The parsing is too restrictive. Who said the netlink device number is only ever 2 hex digits wide? Same goes probably for the other hex values, I don't know. Should be safe making no assumption about their maximum width.
Furthermore, the parsing is error prone, it doesn't stop if a line couldn't be read completely, i.e. it cannot detect whether a line has been read completely.
The attached patch fixes the apparent problem.
Btw, I got the same error with openjdk-6.
The attachment "NetworkInterfa ce_if_inet6. diff" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report.
[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]