Bug#355596: libcanlock2: libcanlock smash stack, crash tin

Mon, 06 Mar 2006 08:48:13 -0800 

Package: libcanlock2
Version: 2b-3
Severity: important

valgrind trace (revalant parts):
==3583==
==3583== Conditional jump or move depends on uninitialised value(s)
==3583==    at 0x401E7C9: strcpy (mac_replace_strmem.c:269)
==3583==    by 0x4058DA8: lock_strip_alpha (canlock.c:84)
==3583==    by 0x4058F36: sha_lock (canlock.c:147)
==3583==    by 0x808DB4D: build_canlock (post.c:4652)
==3583==    by 0x806A44D: submit_inews (inews.c:273)
==3583==    by 0x806ADAD: submit_news_file (inews.c:409)
==3583==    by 0x8091595: post_loop (post.c:1564)
==3583==    by 0x809552A: post_response (post.c:2720)
==3583==    by 0x8087751: show_page (page.c:780)
==3583==    by 0x80A96AE: enter_pager (thread.c:1442)
==3583==    by 0x80AA221: thread_page (thread.c:578)
==3583==    by 0x8065447: enter_thread (group.c:1554)
==3583==
==3583== Conditional jump or move depends on uninitialised value(s)
==3583==    at 0x401E7C9: strcpy (mac_replace_strmem.c:269)
==3583==    by 0x4058DA8: lock_strip_alpha (canlock.c:84)
==3583==    by 0x4058F36: sha_lock (canlock.c:147)
==3583==    by 0x808DBC0: build_cankey (post.c:4676)
==3583==
==3583== Conditional jump or move depends on uninitialised value(s)
==3583==    at 0x401E7C9: strcpy (mac_replace_strmem.c:269)
==3583==    by 0x4058DA8: lock_strip_alpha (canlock.c:84)
==3583==    by 0x4058F36: sha_lock (canlock.c:147)
==3583==    by 0x808CCC0: join_references (post.c:2324)
==3583==
==3583== Conditional jump or move depends on uninitialised value(s)
==3583==    at 0x401E7C9: strcpy (mac_replace_strmem.c:269)
==3583==    by 0x4058DA8: lock_strip_alpha (canlock.c:84)
==3583==    by 0x4058F36: sha_lock (canlock.c:147)
==3583==    by 0x8C1CCC0: ???
==3583==
==3583== Conditional jump or move depends on uninitialised value(s)
==3583==    at 0x401E7C9: strcpy (mac_replace_strmem.c:269)
==3583==    by 0x4058DA8: lock_strip_alpha (canlock.c:84)
==3583==    by 0x4058F36: sha_lock (canlock.c:147)
==3583==    by 0x3FC1CCC0: ???
==3583==
==3583== Conditional jump or move depends on uninitialised value(s)
==3583==    at 0x4058DD6: lock_strip_alpha (canlock.c:85)
==3583==    by 0x4058F36: sha_lock (canlock.c:147)
==3583==    by 0x3FC1CCC0: ???
==3583==
==3583== Conditional jump or move depends on uninitialised value(s)
==3583==    at 0x40FB9DC: tolower (in /lib/tls/libc-2.3.6.so)
==3583==    by 0x4058DC1: lock_strip_alpha (canlock.c:86)
==3583==    by 0x4058F36: sha_lock (canlock.c:147)
==3583==    by 0x3FC1CCC0: ???
==3583==
==3583== Use of uninitialised value of size 4
==3583==    at 0x40FB9EC: tolower (in /lib/tls/libc-2.3.6.so)
==3583==    by 0x4058DC1: lock_strip_alpha (canlock.c:86)
==3583==    by 0x4058F36: sha_lock (canlock.c:147)
==3583==    by 0x3FC1CCC0: ???
==3583==
==3583== Jump to the invalid address stated on the next line
==3583==    at 0x3FC1CCC1: ???
==3583==  Address 0x3FC1CCC1 is not stack'd, malloc'd or (recently) free'd
==3583==
==3583== Process terminating with default action of signal 6 (SIGABRT)
==3583==    at 0x41027C7: raise (in /lib/tls/libc-2.3.6.so)
==3583==    by 0x410406A: abort (in /lib/tls/libc-2.3.6.so)
==3583==    by 0x80A4F3E: signal_handler (signal.c:448)
==3583==    by 0x4102867: (within /lib/tls/libc-2.3.6.so)

Attached patch fix this problem.

--- src/canlock.c.old   2006-03-06 18:53:50.000000000 +0300
+++ src/canlock.c       2006-03-06 19:18:44.000000000 +0300
@@ -51,41 +51,16 @@
 char *
 lock_strip_alpha(const char *key, char *type)
 {
-    char
-        *c,
-        *typetext,
-        *mykey = (char *)key;
-    size_t
-        ttpos = 0,
-        ttlen = 256;
-
-    typetext = (char *) malloc(ttlen);
-    if (!typetext)
-        return NULL;
-    *typetext = 0;
 
-    while (*mykey && *mykey != ':') {
-        if (ttpos >= ttlen) {
-            ttlen += 256;
-            typetext = (char *) realloc( (void *)typetext, ttlen);
-            if (!typetext)
-                return NULL;
-        }
-        typetext[ttpos++] = *mykey++;
-    }
-    if (! *mykey)
-        type = NULL;
-    else {
-        mykey++;
-        for (c = mykey; *c; c++) {
-            if (*c == ':')
-                *c = '\0';
-        }
-        strcpy(type, typetext);
-        for (c = type; *c; ++c)
-            *c = tolower(*c);
-    }
-    return (mykey);
+    do {
+      *type = tolower(*key);
+      type++;
+      key++;
+    } while (*key && *key != ':');
+    
+    *type = '\0';
+    key++;
+    return strdup(key);
 }
 
-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15-rc6
Locale: LANG=ru_RU.KOI8-R, LC_CTYPE=ru_RU.KOI8-R (charmap=KOI8-R)

Versions of packages libcanlock2 depends on:
ii  libc6                         2.3.6-3    GNU C Library: Shared libraries an

libcanlock2 recommends no packages.

-- no debconf information


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to