Bug#528675: libnet-arp-perl: Buffer overflow in get_mac_linux()
Michael Bienia
geser at ubuntu.com
Thu May 14 16:17:31 UTC 2009
Package: libnet-arp-perl
Version: 1.0.3-2
Severity: normal
Tags: patch
Hello,
libnet-arp-perl fails to build in Ubuntu karmic because of a buffer
overflow in get_mac_linux():
t/get_mac........*** buffer overflow detected ***: /usr/bin/perl terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x4b)[0x4014c97b]
/lib/libc.so.6[0x4014a9c0]
/lib/libc.so.6(__strcpy_chk+0x44)[0x40149cf4]
/build/buildd/libnet-arp-perl-1.0.3/blib/arch/auto/Net/ARP/ARP.so(get_mac_linux+0x7c)[0x401e2afc]
/build/buildd/libnet-arp-perl-1.0.3/blib/arch/auto/Net/ARP/ARP.so(XS_Net__ARP_get_mac+0x1d5)[0x401e1d15]
/usr/bin/perl(Perl_pp_entersub+0x552)[0x80b3c92]
/usr/bin/perl(Perl_runops_standard+0x19)[0x80b2069]
/usr/bin/perl(perl_run+0x2e0)[0x80b04d0]
/usr/bin/perl(main+0xed)[0x8063ebd]
/lib/libc.so.6(__libc_start_main+0xe5)[0x4007c775]
/usr/bin/perl[0x8063d31]
The upstream "Changes" file talks about a fix for a buffer overflow in
get_mac_linux() but when I compared the version 1.0.2 and 1.0.3 (or even
1.0.4) I couldn't find any changes for this.
Attached is a small patch which fixes this by ensuring that not more
data is copied into the interface name buffer than fits in.
Regards,
Michael
-------------- next part --------------
diff -u libnet-arp-perl-1.0.3/debian/patches/series libnet-arp-perl-1.0.3/debian/patches/series
--- libnet-arp-perl-1.0.3/debian/patches/series
+++ libnet-arp-perl-1.0.3/debian/patches/series
@@ -6,0 +7 @@
+get_mac_linux_bufferoverflow.patch
only in patch2:
unchanged:
--- libnet-arp-perl-1.0.3.orig/debian/patches/get_mac_linux_bufferoverflow.patch
+++ libnet-arp-perl-1.0.3/debian/patches/get_mac_linux_bufferoverflow.patch
@@ -0,0 +1,14 @@
+Index: libnet-arp-perl-1.0.3/get_mac_linux.c
+===================================================================
+--- libnet-arp-perl-1.0.3.orig/get_mac_linux.c 2009-05-14 17:52:35.000000000 +0200
++++ libnet-arp-perl-1.0.3/get_mac_linux.c 2009-05-14 17:55:59.000000000 +0200
+@@ -43,7 +43,8 @@
+ if(strlen(dev) == 0)
+ return -1;
+
+- strcpy(iface.ifr_name,dev);
++ strncpy(iface.ifr_name, dev, IFNAMSIZ);
++ iface.ifr_name[IFNAMSIZ] = '\0';
+
+ // Open a socket
+ if((sock = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
More information about the pkg-perl-maintainers
mailing list