Bug#517597: vde2: slirpvde buffer overflow

Andreas Wenning Sat, 28 Feb 2009 12:07:58 -0800

Subject: vde2: slirpvde buffer overflow                          
Package: vde2                                                    
Version: 2.2.2-3                                                 
Severity: normal                                                 
Tags: patch


slirpvde buffer overflow; fixed in upstream svn rev 329

A patch of that revision is attached for your convenience.

Without it starting slirpvde (at least on amd64) results in:
$ slirpvde -s /tmp/switch1                                  
 *** buffer overflow detected ***: slirpvde terminated      
 ======= Backtrace: =========                               
 /lib/libc.so.6(__fortify_fail+0x37)[0x7fc64b9af887]        
 /lib/libc.so.6[0x7fc64b9ad750]                             
 /lib/libc.so.6[0x7fc64b9adde7]                             
 slirpvde[0x40b3c4]                                         
 /lib/libc.so.6(__libc_start_main+0xe6)[0x7fc64b8ce466]     
 slirpvde[0x401ca9]                                         
 ======= Memory map: ========                               
 00400000-0040f000 r-xp 00000000 08:03 3944288 /usr/bin/slirpvde
 0060e000-0060f000 r--p 0000e000 08:03 3944288 /usr/bin/slirpvde
 0060f000-00610000 rw-p 0000f000 08:03 3944288 /usr/bin/slirpvde
 00610000-00611000 rw-p 00610000 00:00 0                        
 01fbd000-01fde000 rw-p 01fbd000 00:00 0 [heap]                 
 7fc64b698000-7fc64b6ae000 r-xp 00000000 08:03 10960944 /lib/libgcc_s.so.1
 7fc64b6ae000-7fc64b8ae000 ---p 00016000 08:03 10960944 /lib/libgcc_s.so.1
 7fc64b8ae000-7fc64b8af000 r--p 00016000 08:03 10960944 /lib/libgcc_s.so.1
 7fc64b8af000-7fc64b8b0000 rw-p 00017000 08:03 10960944 /lib/libgcc_s.so.1
 7fc64b8b0000-7fc64ba19000 r-xp 00000000 08:03 10961157 /lib/libc-2.8.90.so
 7fc64ba19000-7fc64bc18000 ---p 00169000 08:03 10961157 /lib/libc-2.8.90.so
 7fc64bc18000-7fc64bc1c000 r--p 00168000 08:03 10961157 /lib/libc-2.8.90.so
 7fc64bc1c000-7fc64bc1d000 rw-p 0016c000 08:03 10961157 /lib/libc-2.8.90.so
 7fc64bc1d000-7fc64bc22000 rw-p 7fc64bc1d000 00:00 0                       
 7fc64bc22000-7fc64bc24000 r-xp 00000000 08:03 10961160 /lib/libdl-2.8.90.so
 7fc64bc24000-7fc64be24000 ---p 00002000 08:03 10961160 /lib/libdl-2.8.90.so
 7fc64be24000-7fc64be25000 r--p 00002000 08:03 10961160 /lib/libdl-2.8.90.so
 7fc64be25000-7fc64be26000 rw-p 00003000 08:03 10961160 /lib/libdl-2.8.90.so
 7fc64be26000-7fc64be2a000 r-xp 00000000 08:03 3943265 
/usr/lib/libvdeplug.so.2.1.0
 7fc64be2a000-7fc64c029000 ---p 00004000 08:03 3943265 
/usr/lib/libvdeplug.so.2.1.0
 7fc64c029000-7fc64c02a000 r--p 00003000 08:03 3943265 
/usr/lib/libvdeplug.so.2.1.0
 7fc64c02a000-7fc64c02b000 rw-p 00004000 08:03 3943265 
/usr/lib/libvdeplug.so.2.1.0
 7fc64c02b000-7fc64c04a000 r-xp 00000000 08:03 10960957 /lib/ld-2.8.90.so       
   
 7fc64c22c000-7fc64c22e000 rw-p 7fc64c22c000 00:00 0                            
   
 7fc64c246000-7fc64c249000 rw-p 7fc64c246000 00:00 0                            
   
 7fc64c249000-7fc64c24a000 r--p 0001e000 08:03 10960957 /lib/ld-2.8.90.so       
   
 7fc64c24a000-7fc64c24b000 rw-p 0001f000 08:03 10960957 /lib/ld-2.8.90.so       
   
 7fff54235000-7fff5424a000 rw-p 7ffffffea000 00:00 0 [stack]                    
   
 7fff543fe000-7fff543ff000 r-xp 7fff543fe000 00:00 0 [vdso]
 ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
 Abandon

-- System Information:
Debian Release: lenny/sid
  APT prefers intrepid-updates
  APT policy: (500, 'intrepid-updates'), (500, 'intrepid-security'), (500, 
'intrepid-backports'), (500, 'intrepid'), (400, 'intrepid-proposed')
Architecture: i386 (i686)

Kernel: Linux 2.6.27-11-generic (SMP w/1 CPU core)
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages vde2 depends on:
ii  adduser            3.108ubuntu1          add and remove users and groups
ii  libc6              2.8~20080505-0ubuntu9 GNU C Library: Shared libraries
ii  libpcap0.8         0.9.8-5               system interface for user-level 
pa
ii  libvdemgmt0        2.2.2-3               Virtual Distributed Ethernet - 
Man
ii  libvdeplug2        2.2.2-3               Virtual Distributed Ethernet - 
Plu

vde2 recommends no packages.

-- no debconf information

--- vde-2/src/slirpvde/slirpvde.c	2008/06/15 10:33:11	273
+++ vde-2/src/slirpvde/slirpvde.c	2008/09/30 21:43:07	329
@@ -53,7 +53,7 @@
 VDECONN *conn;
 int dhcpmgmt=0;
 static char *pidfile = NULL;
-static char pidfile_path[_POSIX_PATH_MAX];
+static char pidfile_path[PATH_MAX];
 int logok=0;
 char *prog;
 extern FILE *lfd;
@@ -78,9 +78,11 @@
 static void save_pidfile()
 {
 	if(pidfile[0] != '/')
-		strncat(pidfile_path, pidfile, PATH_MAX - strlen(pidfile_path));
-	else
-		strcpy(pidfile_path, pidfile);
+		strncat(pidfile_path, pidfile, sizeof(pidfile_path) - strlen(pidfile_path) -1);
+	else {
+		pidfile_path[0] = 0;
+		strncat(pidfile_path, pidfile, sizeof(pidfile_path)-1);
+	}
 
 	int fd = open(pidfile_path,
 			O_WRONLY | O_CREAT | O_EXCL,
@@ -433,7 +435,7 @@
 		exit(1);
 	}
 	
-	strcat(pidfile_path, "/");
+	strncat(pidfile_path, "/", sizeof(pidfile_path) - strlen(pidfile_path) -1);
 	if (daemonize && daemon(0, 0)) {
 		printlog(LOG_ERR,"daemon: %s",strerror(errno));
 		exit(1);

Bug#517597: vde2: slirpvde buffer overflow

Reply via email to