*** buffer overflow detected ***: tcpick terminated with -t arg

Bug #1086534 reported by Sumit Rangwala on 2012-12-04
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
tcpick (Debian)
Fix Released
Unknown
tcpick (Ubuntu)
Medium
Unassigned

Bug Description

tcpick with -t option gives a buffer overflow. The command below works fine without the -t option.

OS: Linux aeschylus 3.2.0-34-generic #53-Ubuntu SMP Thu Nov 15 10:48:16 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux

$ sudo tcpick -i eth0 -t -haC
Starting tcpick 0.2.1 at 2012-12-04 11:34 PST
Timeout for connections is 600
tcpick: listening on eth0
*** buffer overflow detected ***: tcpick terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7f0260ec8807]
/lib/x86_64-linux-gnu/libc.so.6(+0x109700)[0x7f0260ec7700]
tcpick[0x404dc2]
tcpick[0x4025c5]
tcpick[0x403281]
/usr/lib/x86_64-linux-gnu/libpcap.so.0.8(+0x844c)[0x7f026118544c]
/usr/lib/x86_64-linux-gnu/libpcap.so.0.8(pcap_loop+0x61)[0x7f0261187971]
tcpick[0x403a72]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xed)[0x7f0260ddf76d]
tcpick[0x4015f9]
======= Memory map: ========
00400000-00408000 r-xp 00000000 08:01 12323204 /usr/sbin/tcpick
00608000-00609000 r--p 00008000 08:01 12323204 /usr/sbin/tcpick
00609000-0060a000 rw-p 00009000 08:01 12323204 /usr/sbin/tcpick
023c7000-023e8000 rw-p 00000000 00:00 0 [heap]
7f025ff80000-7f025ff95000 r-xp 00000000 08:01 1052166 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f025ff95000-7f0260194000 ---p 00015000 08:01 1052166 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f0260194000-7f0260195000 r--p 00014000 08:01 1052166 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f0260195000-7f0260196000 rw-p 00015000 08:01 1052166 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f0260196000-7f02601ae000 r-xp 00000000 08:01 1048804 /lib/x86_64-linux-gnu/libresolv-2.15.so
7f02601ae000-7f02603ae000 ---p 00018000 08:01 1048804 /lib/x86_64-linux-gnu/libresolv-2.15.so
7f02603ae000-7f02603af000 r--p 00018000 08:01 1048804 /lib/x86_64-linux-gnu/libresolv-2.15.so
7f02603af000-7f02603b0000 rw-p 00019000 08:01 1048804 /lib/x86_64-linux-gnu/libresolv-2.15.so
7f02603b0000-7f02603b2000 rw-p 00000000 00:00 0
7f02603b2000-7f02603b9000 r-xp 00000000 08:01 1048816 /lib/x86_64-linux-gnu/libnss_dns-2.15.so
7f02603b9000-7f02605b8000 ---p 00007000 08:01 1048816 /lib/x86_64-linux-gnu/libnss_dns-2.15.so
7f02605b8000-7f02605b9000 r--p 00006000 08:01 1048816 /lib/x86_64-linux-gnu/libnss_dns-2.15.so
7f02605b9000-7f02605ba000 rw-p 00007000 08:01 1048816 /lib/x86_64-linux-gnu/libnss_dns-2.15.so
7f02605ba000-7f02605bc000 r-xp 00000000 08:01 1048630 /lib/libnss_mdns4_minimal.so.2
7f02605bc000-7f02607bb000 ---p 00002000 08:01 1048630 /lib/libnss_mdns4_minimal.so.2
7f02607bb000-7f02607bc000 r--p 00001000 08:01 1048630 /lib/libnss_mdns4_minimal.so.2
7f02607bc000-7f02607bd000 rw-p 00002000 08:01 1048630 /lib/libnss_mdns4_minimal.so.2
7f02607bd000-7f02607c9000 r-xp 00000000 08:01 1048809 /lib/x86_64-linux-gnu/libnss_files-2.15.so
7f02607c9000-7f02609c8000 ---p 0000c000 08:01 1048809 /lib/x86_64-linux-gnu/libnss_files-2.15.so
7f02609c8000-7f02609c9000 r--p 0000b000 08:01 1048809 /lib/x86_64-linux-gnu/libnss_files-2.15.so
7f02609c9000-7f02609ca000 rw-p 0000c000 08:01 1048809 /lib/x86_64-linux-gnu/libnss_files-2.15.so
7f02609ca000-7f0260dbe000 rw-s 00000000 00:07 2545710 socket:[2545710]
7f0260dbe000-7f0260f73000 r-xp 00000000 08:01 1048799 /lib/x86_64-linux-gnu/libc-2.15.so
7f0260f73000-7f0261172000 ---p 001b5000 08:01 1048799 /lib/x86_64-linux-gnu/libc-2.15.so
7f0261172000-7f0261176000 r--p 001b4000 08:01 1048799 /lib/x86_64-linux-gnu/libc-2.15.so
7f0261176000-7f0261178000 rw-p 001b8000 08:01 1048799 /lib/x86_64-linux-gnu/libc-2.15.so
7f0261178000-7f026117d000 rw-p 00000000 00:00 0
7f026117d000-7f02611b1000 r-xp 00000000 08:01 12328178 /usr/lib/x86_64-linux-gnu/libpcap.so.1.1.1
7f02611b1000-7f02613b1000 ---p 00034000 08:01 12328178 /usr/lib/x86_64-linux-gnu/libpcap.so.1.1.1
7f02613b1000-7f02613b2000 r--p 00034000 08:01 12328178 /usr/lib/x86_64-linux-gnu/libpcap.so.1.1.1
7f02613b2000-7f02613b3000 rw-p 00035000 08:01 12328178 /usr/lib/x86_64-linux-gnu/libpcap.so.1.1.1
7f02613b3000-7f02613b4000 rw-p 00000000 00:00 0
7f02613b4000-7f02613d6000 r-xp 00000000 08:01 1048813 /lib/x86_64-linux-gnu/ld-2.15.so
7f02615be000-7f02615c1000 rw-p 00000000 00:00 0
7f02615d2000-7f02615d6000 rw-p 00000000 00:00 0
7f02615d6000-7f02615d7000 r--p 00022000 08:01 1048813 /lib/x86_64-linux-gnu/ld-2.15.so
7f02615d7000-7f02615d9000 rw-p 00023000 08:01 1048813 /lib/x86_64-linux-gnu/ld-2.15.so
7fff894dd000-7fff894fe000 rw-p 00000000 00:00 0 [stack]
7fff89558000-7fff89559000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]

Dave Gilbert (ubuntu-treblig) wrote :

Trivially repeatable on raring

Changed in tcpick (Ubuntu):
importance: Undecided → Medium
status: New → Confirmed
summary: - *** buffer overflow detected ***: tcpick terminated
+ *** buffer overflow detected ***: tcpick terminated with -t arg
Dave Gilbert (ubuntu-treblig) wrote :
Download full text (3.3 KiB)

(From a rebuild from the package) run with -t:

(gdb) bt full
#0 0x00007ffff7814e35 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:63
        resultvar = 0
        pid = 22722
        selftid = 22722
#1 0x00007ffff7818498 in __GI_abort () at abort.c:90
        save_stage = 2
        act = {__sigaction_handler = {sa_handler = 0x7fffffffd8aa, sa_sigaction = 0x7fffffffd8aa}, sa_mask = {__val = {
              6, 140737347178919, 2, 140737488345278, 2, 140737347169863, 1, 140737347178915, 3, 140737488345252, 12,
              140737347178919, 2, 140737488345936, 13, 140737488347696}}, sa_flags = 94, sa_restorer = 0x5}
        sigs = {__val = {32, 0 <repeats 15 times>}}
#2 0x00007ffff78515ab in __libc_message (do_abort=do_abort@entry=2,
    fmt=fmt@entry=0x7ffff795d12b "*** %s ***: %s terminated\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:200
        ap = {{gp_offset = 32, fp_offset = 48, overflow_arg_area = 0x7fffffffe240, reg_save_area = 0x7fffffffe150}}
        ap_copy = {{gp_offset = 16, fp_offset = 48, overflow_arg_area = 0x7fffffffe240, reg_save_area = 0x7fffffffe150}}
        fd = 8
        on_2 = <optimised out>
        list = <optimised out>
        nlist = <optimised out>
        cp = <optimised out>
        written = <optimised out>
#3 0x00007ffff78ec40c in __GI___fortify_fail (msg=<optimised out>, msg@entry=0x7ffff795d0c2 "buffer overflow detected")
    at fortify_fail.c:37
        do_abort = 2
#4 0x00007ffff78eb3a0 in __GI___chk_fail () at chk_fail.c:28
No locals.
#5 0x00000000004051a2 in memset (__len=16, __ch=0, __dest=0x60ac80) at /usr/include/x86_64-linux-gnu/bits/string3.h:84
No locals.
#6 time_ascii (ret=ret@entry=0x60abf0 "") at time.c:45
        tp = 0x60ae40
        tzp = 0x60ac80
        brokentime = <optimised out>
#7 0x000000000040258d in display_status (out=0x7ffff7b9a280 <_IO_2_1_stdout_>, conn=0x60a160,
    status=status@entry=SYN_SENT) at display.c:96
        client_name = 0x7ffff7fd0718 "192.168.66.33"
        server_name = <optimised out>
        s_time = 0x60abf0 ""
        status_string = <optimised out>
#8 0x00000000004038ca in status_switch (prev=0x60ad90, status=status@entry=SYN_SENT) at tracker.c:38
No locals.
#9 0x00000000004039fa in newconn (prev_ring=<optimised out>) at tracker.c:87
---Type <return> to continue, or q <return> to quit---
        conn = <optimised out>
#10 0x0000000000404f3e in verify () at verify.c:139
        Desc = 0x0
        prev_conn = 0x60ad90
#11 0x000000000040360d in got_packet (useless=<optimised out>, hdr=0x7fffffffe3c0, packet=<optimised out>) at loop.c:101
No locals.
#12 0x00007ffff7ba564e in ?? () from /usr/lib/x86_64-linux-gnu/libpcap.so.0.8
No symbol table info available.
#13 0x00007ffff7bac591 in pcap_loop () from /usr/lib/x86_64-linux-gnu/libpcap.so.0.8
No symbol table info available.
#14 0x0000000000401887 in main (argc=<optimised out>, argv=<optimised out>) at tcpick.c:265
        tbuf = "2012-12-06 20:00 GMT\000\177\000\000\t\000\000\000\000\000\000\000x\337~\367\377\177\000\000\270\251\377\367\377\177\000\000\344\000\000\000\000\000\000\000\000\346\377\377\377\177\000\000\344\262\360\000\000\000\000\000\302\000\000\000\000\000\0...

Read more...

Dave Gilbert (ubuntu-treblig) wrote :

This is a cut-n-paste thinko; fix attached.
(upstream seems dead looking at sourceforge so not sure what the best thing to do is)

The attachment "Fix for memset thinko" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Dave Gilbert (ubuntu-treblig) wrote :

Patch also submitted upstream (although it seems pretty dead):

https://sourceforge.net/tracker/?func=detail&aid=3593303&group_id=95657&atid=612164

Changed in tcpick (Ubuntu):
status: Confirmed → In Progress
status: In Progress → Confirmed
Changed in tcpick (Debian):
status: Unknown → New
Changed in tcpick (Ubuntu):
status: Confirmed → Triaged
Changed in tcpick (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.