Bug#353527: mrtg: rateup crashes with long basename

Sun, 19 Feb 2006 03:33:33 -0800 

Subject: mrtg: rateup crashes with long basename
Package: mrtg
Version: 2.12.2-1
Severity: normal
Tags: patch

Hello,

the rateup tool in MRTG crashes when you start it with a long basename:


[EMAIL PROTECTED]:~$ /usr/bin/rateup /tmp `perl -e 'print "U" x 170;'`
Rateup WARNING: /usr/bin/rateup could not read the primary log file for
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUU
Rateup WARNING: /usr/bin/rateup The backup log file for
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUU was invalid as well
Segmentation fault
[EMAIL PROTECTED]:~$


Despite being a buffer overflow, I don't see this as a security issue, since
the basename is defined by the system administrator who is trusted.

I have attached a patch that corrects this problem. I have Cc'ed upstream, as
the latest upstream version is affected as well.

// Ulf Harnhammar

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages mrtg depends on:
ii  debconf [debconf-2.0]         1.4.70     Debian configuration management sy
ii  libc6                         2.3.5-13   GNU C Library: Shared libraries an
ii  libgd2-xpm                    2.0.33-3   GD Graphics Library version 2
ii  libpng12-0                    1.2.8rel-5 PNG library - runtime
ii  libsnmp-session-perl          1.08-1     Perl support for accessing SNMP-aw
ii  perl                          5.8.7-10   Larry Wall's Practical Extraction 
ii  perl-modules                  5.8.7-10   Core Perl modules
ii  zlib1g                        1:1.2.3-9  compression library - runtime

mrtg recommends no packages.

-- debconf information:
  mrtg/own_user: true
* mrtg/conf_mods: true


--- src/rateup.c.old    2006-02-03 07:33:34.000000000 +0100
+++ src/rateup.c        2006-02-19 11:52:52.000000000 +0100
@@ -1946,6 +1946,11 @@
   Mh = MAX_HISTORY;
 
   router = argv[2];
+  if (strlen(router) > 120)
+    {
+      fprintf (stderr, "Rateup ERROR: Too long basename\n");
+      exit (1);
+    }
 
   /* from  mrtg-2.x with x>5 rateup calling syntax changed to
      to support time properly ... this is for backward compat

Reply via email to