Bug 129415

Summary: iproute2 buffer overflows
Product: [openSUSE] SUSE LINUX 10.0 Reporter: Dirk Mueller <dmueller>
Component: BasesystemAssignee: Mads Martin Joergensen <mmj>
Status: VERIFIED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Critical    
Priority: P5 - None CC: aj, ast
Version: RC 4   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Dirk Mueller 2005-10-19 16:10:43 UTC 
$ ip route show src 10.10.2.227 
*** buffer overflow detected ***: ip terminated 
Aborted 
 
where 10.10.2.227 is your own ip
Comment 1 Mads Martin Joergensen 2005-10-20 13:36:51 UTC 
Fixed in STABLE
Comment 2 Mads Martin Joergensen 2005-10-20 13:43:55 UTC 
Anja, I need a SWAMP id for making a bugfix update for 10.0. It's obviously
correct.

The patch is this:
-     memcpy(&via.data, RTA_DATA(tb[RTA_GATEWAY]), host_len);
+     memcpy(&via.data, RTA_DATA(tb[RTA_GATEWAY]), host_len/8);

and

-     memcpy(&prefsrc.data, RTA_DATA(tb[RTA_PREFSRC]), host_len);
+     memcpy(&prefsrc.data, RTA_DATA(tb[RTA_PREFSRC]), host_len/8);

They're overflowing the struct, because memcpy takes bytes and host_len is bits.
Comment 3 Dirk Mueller 2005-10-20 13:46:07 UTC 
do you already have a fixed package? I'd like to test it on the live system
Comment 4 Mads Martin Joergensen 2005-10-20 13:54:42 UTC 
/work/built/mbuild/pothole-mmj-1/10.0-i386/iproute2-2.6.13-2.1.i586.rpm
Comment 5 Mads Martin Joergensen 2005-10-21 12:11:21 UTC 
Dirk, did you verify it works?
Comment 6 Dirk Mueller 2005-10-21 16:22:50 UTC 
works fine, can't find any further problems
Comment 7 Mads Martin Joergensen 2005-10-21 16:25:36 UTC 
Andreas I need a SWAMP id for a bugfix update for 10.0.
Comment 8 Andreas Jaeger 2005-10-26 06:40:25 UTC 
Approved, Maintenance-Tracker-2678
Comment 9 Mads Martin Joergensen 2005-11-01 13:05:51 UTC 
Fixed and submitted for 10.0
Comment 10 Anja Stock 2005-11-03 09:50:05 UTC 
released