Package: atftpd
Version: 0.8.0-5
Severity: minor
Tags: patch
Hi,
If you recompile atftp using LTO, it will crash when sending an error
message.
This was originally reported in Ubuntu and is the reason why Ubuntu
patches this package (they enable LTO by default).
https://bugs.launchpad.net/ubuntu/+source/atftp/+bug/1989816
The bug occurs because LTO allows GCC to "see" the size of the "th_msg"
field in the "tftp_send_error" function. This triggers the second case
of gore discussed in this glibc thread (and was not fixed in glibc):
https://sourceware.org/pipermail/libc-alpha/2012-April/028823.html
I've attached a patch to fix it by switching to memcpy. GCC allows
memcpy in more situations than strncpy so it doesn't abort.
Thanks,
James
Description: Fix fortify abort when LTO is enabled
Usually the Strncpy call in tftp_send_error cannot be inlined, but if
LTO is enabled GCC will inline it all the way to a strncpy call. This
call is subject to fortification checks and will always fail because
`th_msg` has zero size.
.
Fix by using memcpy instead. memcpy has weaker fortification rules
for structure members so it won't abort.
.
See: https://sourceware.org/pipermail/libc-alpha/2012-April/028823.html
And: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=52944
Author: James Cowgill <jcowg...@debian.org>
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/atftp/+bug/1989816
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/tftp_io.c
+++ b/tftp_io.c
@@ -168,9 +168,9 @@ int tftp_send_error(int socket, struct s
return ERR;
tftphdr->th_opcode = htons(ERROR);
tftphdr->th_code = htons(err_code);
- Strncpy(tftphdr->th_msg, tftp_errmsg[err_code], buffer_size - 4);
size = 4 + strlen(tftp_errmsg[err_code]) + 1;
+ memcpy(tftphdr->th_msg, tftp_errmsg[err_code], size - 4);
result = sendto(socket, tftphdr, size, 0, (struct sockaddr *)sa,
sizeof(*sa));
